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Abstract 

Concurrent non-malleability (CNM) is central for cryptographic protocols running concurrently 
in environments such as the Internet. In this work, we formulate CNM in the bare public- key (BPK) 
model, and show that round-efhcient concurrent non-malleable cryptography with full adaptive input 
selection can be established, in general, with bare public-keys (where, in particular, no trusted 
assumption is made). Along the way, we clarify the various subtleties of adaptive concurrent non- 
malleability in the bare public-key model. 
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1 Introduction 



Concurrent non-malleability is central for cryptographic protocols secure against concurrent man-in- 
the-middle (CMIM) attacks. In the CMIM setting, polynomially many concurrent executing instances 
(sessions) of a protocol take place in an asynchronous setting (appropriate for environments such as over 
the Internet), and all the unauthenticated communication channels (among all the concurrent sessions) 
are controlled by a probabilistic polynomial-time (PPT) CMIM adversary A. In this setting, honest 
players are assumed oblivious of each other's existence, nor do they generally know the topology of 
the network, and thus cannot coordinate their executions. The CMIM adversary A (controlling the 
communication channels) can do whatever it wishes. When CNM with adaptive input selection is 
considered, A can also set input to each session. 

Unfortunately, in the stringent CMIM setting, large classes of cryptographic functionalities cannot 
be securely implemented round-efficiently, and even cannot be securely implemented with non-constant 
round-complexity against adaptive input selecting CMIM adversaries in the plain model [13\ [53l I51j . 
In such cases, some setup assumptions are necessary, and establishing the general feasibility of round- 
efficient concurrent non-malleable cryptography with adaptive input selection, with setups as minimal 
as possible, has been being a basic problem extracting intensive research efforts in the literature. 

In this work, we investigate CNM security in the bare public-key model (introduced by Canetti, 
Goldreich, Goldwasser and Micali [ll])- A protocol in the BPK model simply assumes that all players 
have each deposited a public key in a public file before any interaction takes place among the users. 
Note that, no assumption is made on whether the public-keys deposited are unique or valid (i.e., public 
keys can even be "nonsensical," where no corresponding secret-keys exist or are known) [12]. That is, no 
trusted third party is assumed, the underlying communication network is assumed to be adversarially 
asynchronous, and preprocessing is reduced to minimally non-interactively posting public-keys in a 
public file. In many cryptographic settings, availability of a public key infrastructure (PKI) is assumed 
or required and in these settings the BPK model is, both, natural and attractive (note that the BPK 
model is, in fact, a weaker version of PKI where in the later added key certification is assumed). It was 
pointed out by Micali and Reyzin [55] that BPK is, in fact, applicable to interactive systems in general. 

1.1 Our contributions 

We examine concurrent non-malleability in the BPK model, by investigating two types of protocols, 
specifically, zero-knowledge (ZK) ^42j and coin-tossing (CT) ^ both of which are central and funda- 
mental to modern cryptography. 

We show the insufficiency of existing CNM formulations in the public-key model, reformulate CNM 
zero-knowledge (CNMZK) and CNM coin-tossing (CNMCT) in the BPK model. The CNMCT definition 
implies (or serves as a general basis to formulate) the CNM security for for any cryptographic protocol 
in the BPK model against CMIM with full adaptive input selection. By CMIM with full adaptive input 
selection, we mean that the CMIM adversary can set inputs to all concurrent sessions; furthermore and 
different from the traditional formulation of adaptive input selection, the adversary does not necessarily 
set the input to each session at the beginning of the session; Rather, the input may be set on the 
way of the session, and is based on the whole transcript evolution (among other concurrent sessions 
and the current session). Also, similar to [66], we allow the CMIM adversary to adaptively set the 
language to be proved in right sessions, based on players' public-keys and common statements of left 
sessions. We motivate the desirability of achieving CNM security against CMIM with full adaptive input 
selection, and clarify the various subtleties of the CNM formulations and make in-depth discussions. 
The CNM reformulations, and the various subtlety clarifications and discussions, constitute independent 
contributions of this work, which provide the insight for understanding the complex and subtle nature 
of (adaptive) CNM with bare public- keys. 

We then present a constant-round CNMCT protocol in the BPK model under standard assumptions, 
which is enabled by the recent celebrated Pass- Rosen ZK (PRZK) result |63[ I64j . The importance of 
the CNMCT protocol is that it can be used to transform concurrent non-malleable protocols that are 



originally developed in the common random string (CRS) model into the weaker BPK model (with 
full adaptive input selection). That is, round-efficient concurrent non- malleable cryptography (with full 
adaptive input selection) can be established with bare public-keys, in general. 

1.2 Related works 

The concept of non-malleability is introduced by Dolve, Dwork and Naor in the seminal work of [27] . The 
work of [27] also presents non-constant-round non-malleable commitment and zero-knowledge protocols. 
Constant-round non-malleable coin-tossing protocol in the plain model (and accordingly, constant-round 
non-malleable zero-knowledge arguments for MV and commitment schemes by combining the result of 
|21j ) is achieved by Barak [2]. The non-malleable coin-tossing protocol of [2] employs non-black-box 
techniques (introduced in [l]) in a critical way. CNMZK with a poly- logarithmic round complexity is 
achieved in the plain model [6]. 

A large number of concurrent non- malleable (and the strongest, universal composable) crypto- 
graphic protocols are developed in the common reference/random string model, where a common ref- 
erence/random string is selected trustily by a trusted third party and is known to all players (e.g., 
[211 EH EH (HI [19] , etc) . The work of [17] demonstrates the general feasibility of concurrent non- 
malleability with timing assumption, where each party has a local clock and all clocks proceed at 
approximately the same rate. 

The CNMCT formulation and construction presented in this work are based on the incomplete work 
of [69], but with significant extension and correction in view of the recent advances of security formu- 
lations (e.g., the formulation of secret-key independent knowledge-extraction [66]) and non-malleable 
building tools (e.g., the PRZK result |631l64j). The situation with adaptive concurrent non-malleability 
in the bare public- key model turns out to be notoriously subtle and somewhat confused. There are 
several works that deal with concurrent non-malleability in the BPK model [691 [60t [22l [6T] (the works 
of |60l 1221 [6T] consider the specific protocol, specifically CNMZK, in the BPK model). But, a careful 
investigation shows that the CNM formulations in all existing works are flawed or incomplete (details 
can be found in Section H]). Also, no previous protocols in the BPK model or the plain model can be 
proved CNM secure against CMIM with full adaptive input selection. Actually, the possibility of CNM 
with adaptive input selection in the BPK model itself turns out to be a subtle issue, and was not clarified 
in existing works. 

2 Preliminaries 

Basic notation. We use standard notations and conventions below for writing probabilistic algorithms, 
experiments and interactive protocols. If ^ is a probabilistic algorithm, then A{xi,X2, - ■ ■ ',r) is the 
result of running A on inputs xi,X2, - ■ ■ and coins r. We let y <— A{xi,X2, • • • ) denote the experiment 
of picking r at random and letting y be A(xi,X2, ■ ■ ■ ',r). If S is a finite set then x ^ S is the operation 
of picking an element uniformly from S. If a is neither an algorithm nor a set then x <— a is a simple 
assignment statement. By [Ri;-- - ]Rn : v\ we denote the set of values of v that a random variable 
can assume, due to the distribution determined by the sequence of random processes Ri,R2,--- ,Rn- 
By Pr[i?i; • • • ; i?„ : E] we denote the probability of event E, after the ordered execution of random 
processes -Ri, • • • , Rn- 

Let {P,V) be a probabilistic interactive protocol, then the notation (yi,y2) ^ {Pixi),V{x2)){x) 
denotes the random process of running interactive protocol (P, V) on common input x, where P has 
private input xi, V has private input X2, yi is P's output and y2 is F's output. We assume w.l.o.g. 
that the output of both parties P and V at the end of an execution of the protocol {P, V) contains a 
transcript of the communication exchanged between P and V during such execution. 

The security of cryptographic primitives and tools, presented throughout this work, is defined with 
respect to uniform polynomial-time algorithms (equivalently, polynomial-size circuits). When it comes 
to non-uniform security, we refer to non-uniform polynomial-time algorithms (equivalently, families of 
polynomial-size circuits). 



On a security parameter n (also written as 1"), a function //(•) is negligible if for every polynomial p(-), 
there exists a value N such that for all n > it holds that fj.{n) < l/p{n). Let X = {X{n, z)}neN,ze{o,i}* 
and Y = {Y{n, -z)}„eAr,zg{o,i}* be distribution ensembles. Then we say that X and Y are computationally 
(resp., statistically) indistinguishable, if for every probabilistic polynomial-time (resp., any, even power- 
unbounded) algorithm D, for all sufficiently large n's, and every z S {0,1}*, \Fr[D{n, z, X {n, z)) = 
1] — Pr[L'(n, z, Y{n, z)) = 1]| is negligible in n. 

Definition 2.1 (one-way function) A function f : {0, 1}* — > {0, 1}* is called a one-way function 
(OWF) if the following conditions hold: 

1. Easy to compute: There exists a (deterministic) polynomial-time algorithm A such that on input 
X algorithm A outputs f{x) (i.e., A{x) = f{x)). 

2. Hard to invert: For every probabilistic polynomial-time PPT algorithm A' , every positive polyno- 
mial p{-), and all sufficiently large n's, it holds Pr[A'(/([/„), 1") G f^^{f{Un))] < where Un 
denotes a random variable uniformly distributed over {0, 1}". 

Definition 2.2 (interactive argument /proof system) A pair of interactive machines, {P, V), is 
called an interactive argument system for a language L if both are probabilistic polynomial-time (PPT) 
machines and the following conditions hold: 

• Completeness. For every x G C, there exists a string w such that for every string z, 
Pr[(P(u;), V{z)){x) = 1] = 1. 

• Soundness. For every polynomial-time interactive machine P* , and for all sufficiently large n's 
and every x ^ C of length n and every w and z, Fr[{P* (w), V{z)){x) = 1] is negligible in n. 

An interactive protocol is called a proof /or £, if the soundness condition holds against any (even power- 
unbounded) P* (rather than only PPT P* ). An interactive system is called a public-coin system if at 
each round the prescribed verifier can only toss coins and send their outcome to the prover. 

Definition 2.3 (witness indistinguishability WI |33| ) Let {P, V) be an interactive system for a 
language C £ NV, and let IZc be the fixed MV witness relation for L. That is, x £ C if there exists 
a w such that {x, w) G TZc- We denote by viewy^^^^^{x) a random variable describing the transcript 
of all messages exchanged between a (possibly malicious) PPT verifier V* and the honest prover P 
in an execution of the protocol on common input x, when P has auxiliary input w and V* has aux- 
iliary input z. We say that {P, V) is witness indistinguishable for TZc if for every PPT interactive 
machine V* , and every two sequences = {wI.}x£L and W"^ = {tf^jajgi for sufficiently long x, 
so that (x, w].) G IZc and (x, w"^) G TZc, the following two probability distributions are computation- 
ally indistinguishable by any non-uniform polynomial-time algorithm: {x, vieWy^^^^ {x)}x^c, zg{o,i}* ^''^d 

{x, vieWyi^^^ {x)}x£C, ze{Q, i}* • Namely, for every non-uniform polynomial-time distinguishing algorithm 
D, every polynomial p{-), all sufficiently long x G £, and all z G {0, 1}*, it holds that 

\F-!:[D{x, ZjVieWy^r^^^^ (x) = 1] — Pt[D{x, z,viewy^^^^ (x) = 1]| < ~^j~~|y 

It is interesting to note that the WI property preserves against adaptive concurrent composition \33\ 
[321 [Ml El]. 

Definition 2.4 (strong witness indistinguishability SWI [36]) Let {P,V) and all other notations 
be as in Definition \2.3l We say that {P, V) is strongly witness-indistinguishable for TZc 'if for every PPT 
interactive machine V* and for every two probability ensembles {X^, Y"^, Z^}n£N and {X^,Y^, Z^}n(^N, 
such that each {X'^,Yj^, Z'^jneN ranges over {TZc x {0,1}*) n ({0,1}" x {0,1}* x {0,1}*), the fol- 
lowing holds: If {X^, Z^}n£N and {X^, Z^}n£N are computationally indistinguishable, then so are 
{(P(y„i),y*(Zi))(Xi)}„6^ and {{P{Y^),V*{Zl)){Xl)}r,^N. 



WI vs. SWI: It is clarified in [37] that the notion of SWI actually refers to issues that are 
fundamentally different from WI. Specifically, the issue is whether the interaction with the prover helps 
V* to distinguish some auxiliary information (which is indistinguishable without such an interaction). 
Significantly different from WI, SWI does not preserve under concurrent composition. More details 
about SWI are referred to [37]. An interesting observation, as clarified later, is: the protocol composing 
commitments and SWI can be itself regular WI. Also note that any zero-knowledge protocol is itself 
SWI [37J. 

Definition 2.5 (zero-knowledge ZK |42|, 136] ) Let {P, V) be an interactive system for a language 
C £ AfV, and let TZc he the fixed MV witness relation for C. That is, x G C if there exists a w such 
that (x, w) S TZc- We denote by vieWy^^^--^{x) a random variable describing the contents of the random 
tape of V* and the messages V* receives from P during an execution of the protocol on common input 
x, when P has auxiliary input w and V* has auxiliary input z. Then we say that {P, V) is zero- 
knowledge if for every probabilistic polynomial-time interactive machine V* there exists a probabilistic 
(expected) polynomial-time oracle machine S, such that for all sufficiently long x G £ the ensembles 
{vieWy't"^ {x)} x£C o.'nd {S^* {x)}x&c ore computationally indistinguishable. Machine S is called a ZK 
simulator for {P, V) . The protocol is called statistical ZK if the above two ensembles are statistically 
close (i.e., the variation distance is eventually smaller than ^j^j^ for any positive polynomial p). The 
protocol is called perfect ZK if the above two ensembles are actually identical (i.e., except for negligible 
probabilities, the two ensembles are equal). 

Definition 2.6 (system for argument /pro of of knowledge f36|[8]) Let TZ be a binary relation 
and K : ^ [0,1]. We say that a probabilistic polynomial-time (PPT) interactive machine V is a 
knowledge verifier for the relation TZ with knowledge error k if the following two conditions hold: 

• Non-triviality: There exists an interactive machine P such that for every (x, w) G IZ all possible 
interactions of V with P on common input x and auxiliary input w are accepting. 

• Validity (with error k): There exists a polynomial q{-) and a probabilistic oracle machine K such 
that for every interactive machine P* , every x € C-ji, and every w,r G {0, 1}*, machine K satisfies 
the following condition: 

Denote by p{x, w, r) the probability that the interactive machine V accepts, on input x, when 
interacting with the prover specified by P^^^ r (where Px^w,r denotes the strategy of P* on common 
input X, auxiliary input w and random-tape r). If p{x,w,r) > k(|x|), then, on input x and with 
oracle access to P*^^, machine K outputs a solution w' € TZ{x) within an expected number of 
steps bounded by 

Qi\x\) 
p{x, w, r) — k(|x|) 

The oracle machine K is called a knowledge extractor. 

An interactive argument/proof system {P, V) such that V is a knowledge verifier for a relation TZ and 
P is a machine satisfying the non-triviality condition (with respect to V and TZ) is called a system for 
argument/proof of knowledge (AOK/POK) for the relation TZ. 

The above definition of POK is with respect to deterministic prover strategy. POK also can be 
defined with respect to probabilistic prover strategy. It is recently shown that the two definitions are 
equivalent for all natural cases (e.g., POK for A/'T-'-relations) [8]. 

Definition 2.7 (pseudorandom functions PRF) On a security parameter n, let d{-) and r(-) be 

two positive polynomials in n. We say that 

is a pseudorandom function ensemble if the following two conditions hold: 



1. Efficient evaluation: There exists a polynomial-time algorithm that on input s and x € {0, Ij'^d'*!) 
returns /s(x). 

2. Pseudorandomness: For every probabilistic polynomial-time oracle machine A, every polynomial 
p{-), and all sufficiently large n's, it holds: 

I Pr[A^"(l") = 11 - Pr[^^"(l") = 111 < 

p{n) 

where Fn is a random variable uniformly distributed over the multi-set {fs}se{o,i}" > ^"i^d Hn is 
uniformly distributed among all functions mapping d{n)-bit-long strings to r{n)-bit-long strings. 

PRFs can be constructed under any one-way function |38[|36j . The current most practical PRFs are 
the Naor-Reingold implementations under the factoring (Blum integers) or the decisional Diffie-Hellman 
hardness assumptions [58j. The computational complexity of computing the value of the Naor-Reingold 
functions at a given point is about two modular exponentiations and can be further reduced to only two 
multiple products modulo a prime (without any exponentiations!) with natural preprocessing, which is 
great for practices involving PRFs. 

Definition 2.8 (statistically /perfectly binding bit commitment scheme) A pair of PPT inter- 
active machines, {P,V), is called a perfectly binding bit commitment scheme, if it satisfies the following: 

Completeness. For any security parameter n, and any bit b € {0, 1}, it holds that 
Pr[(a,/3) ^ {P{b),V){ry, {t,{t,v)) ^ (P(a), F(/3))(r) :v = b] = l. 

Computationally hiding. For all sufficiently large n's, any PPT adversary V* , the following two 
probability distributions are computationally indistinguishable: [{a, (3) <— (P(0), y*)(l") : /?] and 
[(«',/?') ^(P(l),^*)(l") :/?']. 

Perfectly Binding. For all sufficiently large n's, and any adversary P* , the following probability is 
negligible (or equals for perfectly-binding commitments): Pr[(a, /3) <— {P* ,V){1"'); {t, {t,v)) <— 
{P*{a),Vm{ry,{t',{t',v')) ^ {P*{a),Vm{l^):v,v' G {0, 1} A / ^^']. 

That is, no ( even computational power unbounded ) adversary P* can decommit the same tran- 
script of the commitment stage both to and 1. 

Below, we recall some classic perfectly-binding commitment schemes. 

One-round perfectly-binding (computationally-hiding) commitments can be based on any one-way 
permutation OWP [9l[l0]. Loosely speaking, given a OWP / with a hard-core predict b (cf. [36]), on a 
security parameter n one commits a bit cr by uniformly selecting x G {0, 1}"" and sending (/(x), 6(x) 00") 
as a commitment, while keeping x as the decommitment information. 

Statistically-binding commitments can be based on any one-way function (OWF) but run in two 
rounds [MlllS]. On a security parameter n, let PRG : {0, 1}" — {0, 1}^" be a pseudorandom generator, 
the Naor's OWF-based two-round public-coin perfectly-binding commitment scheme works as follows: 
In the first round, the commitment receiver sends a random string R G {0, 1}^"" to the committer. In 
the second round, the committer uniformly selects a string s G {0, 1}" at first; then to commit a bit 
the committer sends PRG{s) as the commitment; to commit a bit 1 the committer sends PRG{s) © R 
as the commitment. Note that the first-round message of Naor's commitment scheme can be fixed once 
and for all and, in particular, can be posted as a part of public-key in the public-key model. 

Commit-then-SWI: Consider the following protocol composing a statistically-binding commit- 
ment and SWI: 

Common input: x (z C for an TVP-language C with corresponding TVP-relation TZc- 



Prover auxiliary input: w such that {x,w) G TZc- 



The protocol: consisting of two stages: 



Stage- 1: The prover P computes and sends = C(zi;,r^), where C is a statistically-binding 
commitment and is the randomness used for commitment. 

Stage-2: Define a new language = {(x, c^)|3(t(;, r^) s.t. = C{w,rw) /\Tlc{x,w) = 1}. Then, 
P proves to V that it knows a witness to (x, c^) € C , by running a SWI protocol for AfV. 

One interesting observation for the above commit-then-SWI protocol is that commit-then-SWI is 
itself a regular WI for C 

Proposition 2.1 Commit-then-SWI is itself a regular WI for the language L. 

Proof (of Proposition I2.ip . For any PPT malicious verifier V* ^ possessing some auxiliary input 
z S {0, 1}*, and for any x S £ and two (possibly different) witnesses (i^o, w\) such that (x, Wh) € T^c for 
both h G {0, 1}, consider the executions of commit-then-SWI: (P{wq)^ V*(^z)){x) and {P{w\), V*{z)){x). 

Note that for {P{w}j),V*{z)){x), b € {0,1}, the input to SWI of Stage-2 is {x,Cw^ = C{wh,rw^)), 
and the auxiliary input to V* at the beginning of Stage-2 is (x, Cw^, z). Note that (x, c^q, z) is indistin- 
guishable from {x,Cwj^,z). Then, the regular WI property of the whole composed protocol is followed 
from the SWI property of Stage-2. □ 



2.1 Adaptive tag-based one-left-many-right non-malleable statistical zero-knowledge 
argument of knowledge (SZKAOK) 

Let {(PtaG) ^yiG)(l")}nGArTAGG{o where />(•) is some polynomial, be a family of argument 

systems for an A/'P-language C specified by A/'T^-relation IZc- For each security parameter n and 
TAG G {0, {Ptag,Vtag){1"-) is an instance of the protocol {P,V), which is indexed by TAG 
and works for inputs in £ U {0, 1}". 

We consider an experiment EXPE(1", x, TAG, z), where 1" is the security parameter, x G £u{0, 1}", 
TAG G {0, IjP^"-) and z G {0, 1}*. (The input (x, TAG) captures the predetermined input and tag of the 
prover instance in the following left MIM part, and the string z G {0, 1}* captures the auxiliary input to 
the following MIM adversary A.) In the experiment EXPE(1"', x, TAG, z), on input (1", x, TAG, z), an 
adaptive input-selecting one-left-many-right MIM adversary A is simultaneously participating in two 
interaction parts: 

The left MIM part: in which A chooses {x^,TAG ) based on its view from both the left session and 
all right sessions, satisfying that: the membership of x' G £ U {0, 1}" can be efficiently checked 

and TAG G {0, 1}p("); In case x' G £U {0, 1}" (that can be efficiently checked), then a witness w 
such that {x\w^) G TZc is given to the prover instance PjT^'^ ^^'^ interacts, playing the role of 

the verifier V- 1, with the prover instance P- i(x,w) on common input x' . The interactions 

TAG ^ TAG ^ ' ^ ^ ^ 

with P-p^i (x', w') is called the left session. Note that, A can just set {x\TAG ) to be (x,r^G), 

which captures the case of predetermined input and tag to left session. 

The right CMIM part: in which A concurrently interacts with s(n), for a polynomial s(-), verifier 
instances: TAr^r(x^), y^;-^r(x^), V—g'-^ j(^s(n))' where (rAGj,x[), I < i < s(n), are set 
by A (at the beginning of each session) adaptively based on its view (in both the left session and 
all the right sessions) satisfying x[ G {0,1}" and TAG^ G {0,1}^^"^ The interactions with the 
instance ^f^g'^C^D is called the z-th right session, in which A plays the role of Pj^^r . 



^We remark, for our purpose of security analysis in Section 15.21 it is necessary, as well as sufficient, to require the 
membership of the statement chosen by A can be efficiently checked; otherwise, the experiment may render an MV- 
membership oracle to A. 



Denote by vie'Wyx{l'^, x, TAG, z) the random variable describing the view of A in the above experi- 
ment EXPE(1", X, TAG, z), which includes the input (1", x, TAG, z), its random tape, and all messages 
received in the one left session and the s{n) right sessions. 

Then, we say that the family of argument systems {{PtaGi ^tag) i^")} neN TAGe{o i}p(") adaptive 
tag-based one-left-many-right non-malleable SZKAOK with respect to tags of length p{n), if for any PPT 
adaptive input-selecting one-left-many-right MIM adversary A defined above, there exists an expected 
polynomial-time algorithm S, such that for any sufficiently large n, any x € £ U {0, l}*^ and TAG G 
{0, and any z E {0, 1}*, the output of S{l^,x,TAG,z) consists of two parts {str,sta) such that 
the following hold, where we denote by Si{l"',x,TAG,z) (the distribution of) its first output str. 

• Statistical simulatability. The following ensembles are statistically indistinguishable: 

{vieW_A{l"-, X, TAG, ^)}„gAr,a;g£u{0,l}",TylGe{0,l}P("),ze{0,l}* 
{5*1(1", X, TAG, 2:)}„gAr,a.g£u{0,l}",TAGe{0,l}p("),2G{0,l}* 

• Knowledge extraction, sta consists of a set of s{n) strings, {wi,W2, ■ ■ ■ ,ii'<j(n)}, satisfying the 
following: 

— For any i, 1 < i < s{n), if the i-th right session in str is aborted or with a tag identical to 
that of the left session, then Wi = _L; 

— Otherwise, i.e., the i-th right session in str is successful with TAG^ 7^ TAG , then (x^jWi) € 
TZc, where x[ is the input to the i-th. right session in str. 

Pass-Rosen ZK (PRZK). The PRZK developed in [63l El] is the only known constant-round 
adaptive tag-based one-left-many-right non-malleable SZKAOK, that is based on any collision-resistant 
hash function (that can in turn be based on the existence of a family of claw- free permutations). 
Furthermore, PRZK is public-coin. 

3 The CMIM Setting in the BPK Model with Full Adaptive Input 
Selection 

In this section, we clarify the subtleties of adaptive input selection in the CMIM setting, and motivate 
the desirability for CNM security against CMIM adversaries of the capability of full adaptive input 
selection. Then, we describe the CMIM setting in the BPK model in accordance with any interactive 
argument protocol (that works for a class of admissible languages rather than a unique language). 

3.1 Motivation for CMIM with full adaptive input selection 

A concurrent man-in-the-middle (CMIM) adversary A, for an interactive proof/argument protocol, 
is a probabilistic polynomial-time (PPT) algorithm that can act both as a prover and as a verifier. 
Specifically, A can concurrently interact with any polynomial number of instances of the honest prover 
in left interaction part. The interactions with each instance of the honest prover is called a left session, 
in which A plays the role of the verifier; Simultaneously, A interacts with any polynomial number of 
instances of the honest verifier in right interaction part. The interactions with each instance of the 
honest verifier is called a right session, in which it plays the role of the prover. Here, all honest prover 
and verifier instances are working independently, and answer messages sent by A promptly. 

In the traditional formulation of the CMIM settings (and also the stand-alone MIM settings), there 
are two levels of input-selecting capabilities for the CMIM adversary: (1) CMIM with predetermined 
left-session inputs, in which the inputs to left sessions are predetermined, and the CMIM adversary 
A can only set inputs to right sessions; (2) CMIM with adaptive input selection, in which A can set, 
adaptively based on its view, the inputs to both left sessions and right sessions. But, in the traditional 
formulation of CMIM, both for CMIM with predetermined left-session inputs and for CMIM with adaptive 
input selection, the CMIM adversary A is required (limited) to set the input of each session at the 



beginning of that session. We note that this requirement, on input selection in traditional CMIM 
formulation, could essentially limit the power of the CMIM adversary in certain natural settings. We 
give some concrete examples below. 

Consider any protocol resulted from the composition of a coin-tossing protocol and a protocol in 
the CRS model. In most often cases, the input to the underlying protocol in the CRS model, denoted 
CRS-protocol for notation simplicity, is also the input to the whole composed protocol. Note that the 
input to the underlying CRS-protocol can be set after the coin-tossing phase is finished, furthermore, 
can be set only at the last message of the composed protocol. We remark that it is true that for 
adaptive adversary in the CRS model, it is allowed to set statements based on the CRS. In other words, 
mandating the adversary to predetermine the input to the underlying CRS-protocol, without seeing the 
output of coin-tossing that serves as the underlying CRS, clearly limits the power of the adversary and 
thus weakens the provable security established for the composed protocol. 

Another example is the Feige-Shamir-ZK-like protocol |3H [32t [69], which consists of two sub- 
protocols (for presentation convenience, we call them verifier's sub-protocol and prover's sub-protocol) 
and the input of the protocol is only used in the prover's sub-protocol. The prover can set and prove 
the statements in the prover's sub-protocol, only after the verifier has successfully finished the veri- 
fier's sub-protocol in which the verifier proves some knowledge (e.g., its secret-key) to the prover. In 
this case, the adversary can take advantage of the verifier's sub-protocol interactions to set and prove 
inputs to the subsequent prover's sub-protocol, especially when the Feige-Shamir-ZK-like protocol is 
run concurrently in the public-key model. Again, an adversary, as well as the honest prover, could set 
the input to a session only at the last message of the session, for example, considering the prover's 
sub-protocol is the Lapidot-Shamir WIPOK protocol [48]. As demonstrated in [671 [Ml ES] and in this 
work, letting the adversary adaptively determine inputs, in view of the concurrent executions of the 
verifier's sub-protocol in the public-key model, renders strictly stronger power to the adversary. 

In contrast, by CMIM with full adaptive input selection, we mean that a CMIM adversary can set 
inputs to both left sessions and right sessions; furthermore (and different from the traditional formulation 
of adaptive input selection), the adversary does not necessarily set the input to each session at the 
beginning of the session; Rather, the input may be set on the way of the session, and is based on 
the whole transcript evolution (among other concurrent sessions and the current session); Though the 
adversary is allowed to set inputs at any points of the concurrent execution evolution, whenever at 
some point the subsequent activities of an honest player in a session may utilize the input of the session 
while the adversary did not provide the input, the honest player just simply aborts the session. Similar 
to traditional CMIM with predetermined left-session inputs, we can define CMIM with predetermined left- 
session inputs but full adaptive input selection on the right, in which the inputs to left sessions are fixed 
and the CMIM adversary only sets inputs to right session in the above fully adaptive way. 

From above clarifications, we conclude that allowing the CMIM adversary the capability of full 
adaptive input selection, in particular not necessarily predetermining the inputs of sessions at the start 
of each session, is a more natural formulation, as well as more natural scenarios, for cryptographic 
protocols to be CNM-secure against adaptive input selecting CMIM adversaries. It renders stronger 
capability to the adversary, and thus allows us to achieve stronger provable CNM security. The general 
CNM feasibility in the BPK model established in this work is against CMIM with the capability of full 
adaptive input selection (and the capability of adaptive language selection for right sessions). 

3.2 The CMIM Setting in the BPK Model (with adaptive input and language 
selection) 

The bare public- key (BPK) model. As in |66J, we say a class of A/'P-languages C is admissible 
to a protocol (P, V) if the protocol can work (or, be instantiated) for any language L ^ C. Typically, 
C could be the set of all AAT^-languages or the set of any languages admitting S-protocols (in the 
latter case (P, V) could be instantiated for any language in C efficiently without going through general 
AAP-reductions) . We assume that given the description of the corresponding A/'P-relation TZl of an 
AAP-language L, the admissibility of L (i.e., the membership of L G £) can be efficiently decided. 



Let "R-KEY A/''P-relation validating the public- key and secret-key pair {PKp, SKp) generated 

by honest provers, i.e., IZ^^yi^^P^ ^Kp) = 1 indicates that SKp is a valid secret-key of PKp. 
Similarly, let Tl^p^y A/''P-relation validating the public- key and secret-key pair {PKy,SKy) 

generated by honest verifiers, i.e., 7^^^y(PKv', = 1 indicates that SKy is a valid secret-key of 

PKy. In the following formalization, we assume each honest player is of fixed player role. 

Then, a protocol (P, V) for an A/''P-language L in the BPK model w.r.t. key-validating relations 
Tl^p^Y ^'^'^ ^l^By consists of the following: 

1. The interactions between P and V can be divided into two stages. The first stage is called key- 
generation stage in which each player registers a public-key in a public file F; at the end of the 
key-generation stage, the proof stage starts, where any pair of prover and verifier can interact. All 
algorithms have access to the same public file F output by the key-generation stage. 

2. On security parameter 1", the public file F, structured as a collection of poly{n) records, for 
a polynomial poly{-): {{idi, PKid^), {id2, PKid^), ■ ■ ■ {idpoiy(n)i PKidp^^^^^^)}. F is empty at the 
beginning and is updated by players during the key-generation stage. As we assume players be of 
fixed roles, for presentation simplicity, we also denote F = {PKj^\PKj^\ ■ ■ ■ ^ p Xj^"^^^""^^ } , such 

that for any z, 1 < i < poly{n), PK^j"^ denotes a prover-key if I = P or a verifier-key \i I = V . 
The same version of the public file F obtained at the end of the key-generation stage will be used 
during the proof stage. That is, the public file F to be used in proof stages remains intact with 
that output at the end of key-generation stage. 

3. An honest prover P is a pair of deterministic polynomial-time algorithm (Pi,P2), where Pi oper- 
ates in the key-generation stage and P2 operates in the proof stage. On input a security parameter 
1" and a random tape rp^. Pi generates a key pair {PKp, SKp) satisfying TZ^^yiP^P^ SKp) = 1, 
registers PKp in the public file F as its public-key while keeping the corresponding secret key 
SKp in secret. Denote by JCp the set of all legitimate (in accordance with T^^^y) public-keys 
generated by Pi(l"), that is, JCp contains all possible legitimate prover public-key generated on 

security parameter n. Then, in the proof stage, on inputs (PKp, SKp), and po/y(n)-bit string 

(7) 

X £ L, an auxiliary input w, a public file F and a verifier public-key PKy £ F, and a random 

(i) 

tape rp, P2 performs an interactive protocol with the verifier of PKy in the proof stage. 

4. An honest verifier y is a pair of deterministic polynomial-time algorithm (Vi, V2), where Vi oper- 
ates in the key-generation stage and V2 operates in the proof stage. On input a security parameter 
1" and a random tape ry^, Vi generates a key pair {PKy, SKy) satisfying 7^^^y(P/Cy, SKy) = 1, 
registers PKy in the public file F as its public-key while keeping the corresponding secret key SKy 
in secret. Denote by ICy the set of all legitimate (in accordance with Tif^^y) public- keys generated 
by Vi(l"), that is, JCy contains all possible legitimate verifier public-key generated on security 
parameter n. On inputs {PKy , SKy), the public file F and a prover public-key PKp^ G F, the 
A/''P-relation TZ^, and a poly{n)-hit x and a random tape ry^, V2 first checks the admissibility of 
L £ C; Then, V performs the interactive protocol with (the proof stage of) the prover of PK^J\ 
and outputs "accept x £ L" or "reject x" at the end of this protocol. We stress that as the role of 
the honest verifier with its public-key is not interchangeable in the BPK model, the honest verifier 
with its public-key may prove the knowledge of its secret-key, but will never prove anything else. 

Notes: We remark that, though each player is allowed to register public-keys in the public-file in the 
original formulation of the BPK model [12], for some cryptographic tasks, e.g., concurrent and resettable 
zero-knowledge, only requiring verifiers to register public-keys suffices. In these cases provers' keys may 
not be used, ot ICp can be just empty. Our formulation of the BPK model is for the general case, and 
provers' registered public- keys play an essential role for achieving CNM security with full adaptive input 
selection (to be addressed later). Also note that in the above formulation, honest players are of fixed 
roles. For protocols with players of interchangeable roles, the direct extension approach is to let each 
player register a pair of public-keys {PKp, PKy) and explicitly indicate its role in protocol executions. 



The CMIM adversary. The CMIM adversary A in the BPK model is a probabilistic polynomial- 
time (PPT) algorithm that can act both as a prover and as a verifier, both in the key-generation stage 
and in the main proof stage. 

In the key-generation stage, on 1" and some auxiliary input z € {0, 1}* and a pair of honestly 
generated public-keys (PKp, PKy) generated by the honest prover and verifier, A outputs a set of 
public-keys, denoted by F', together with some auxiliary information r to be used in the proof-stage (in 
particular r can include z and a priori information about the secret-keys of honest players {SKp, SKy)). 
Then the public file F used in proof state is set to be F' U {PKp, PKy}- That is, A has complete 
control of the public file F. Here, we remark that, in general, the input to A in order to generate 
F' could be a set of public-keys generated by many honest provers and verifiers, rather than a single 
pair of public-keys {PKp,PKv) generated by a single honest prover and a single honest verifier. The 
formulation with a unique pair of honestly generated public-keys is only for presentation simplicity. 

In the proof stage, on inputs (F, r) A can concurrently interact with any polynomial number of 
instances of the honest prover of public-key PKp in left interaction part. The interactions with each 
instance of the honest prover of PKp is called a left session, in which A plays the role of verifier with 
a public-key PKy^ G F; Simultaneously, A interacts with any polynomial number of instances of the 
honest verifier PKy in right interaction part. The interactions with each instance of the honest verifier 
of PKy is called a right session, where it plays the role of prover with a public-key PKp G F. Here, 
all honest prover and verifier instances are working independently, and answer messages sent by A 
promptly. 

Specifically, polynomially many concurrent sessions of the proof stage of the same protocol {P, V) 
take place in an asynchronous setting (say, over the Internet), and all the unauthenticated communication 
channels (among all the concurrently executing instances of (P, V) ) are controlled by the PPT adversary 
A. This means that the honest prover instances cannot directly communicate with the honest verifier 
instances in the proof stages, since all communication messages are done through the adversary. The 
adversary A, controlling the scheduling of messages in both parts of CMIM, can decide to simply relay 
the messages between any prover instance in the left part and the corresponding verifier instance in the 
right part. But, it can also decide to block, delay, divert, or change messages arbitrarily at its wish. 

We allow the CMIM adversary to set (admissible) languages for the right sessions (possibly different 
from the language for the left sessions), adaptivcly based on all players' public- keys and the (predeter- 
mined) statements of left sessions. Specifically, the left-sessions and right-sessions (of the same protocol) 
may work for different (admissible) languages. For presentation simplicity, we assume the CMIM ad- 
versary sets a unique language L (by giving the corresponding A/''P-relation TZ^) for all concurrent right 
sessions before the actual interactions of proof stages take place. For CMIM-adversary with adaptive 
input selection, A can further set the inputs to left sessions adaptively based on its view (besides adap- 
tively setting inputs to right sessions). A CMIM adversary is called s(n)-CMIM adversary, for a positive 
polynomial s(-), if the adversary involves at most s(n) concurrent sessions in each part of the CMIM 
setting and registers at most s(n) public-keys in F', where n is the security parameter. 

For presentation simplicity and without loss of generality, we have made the following conventions: 

• We assume all honest prover instances are of the same public-key PKp and all honest verifier 
instances are of the same public-key PKy. That is, A concurrently interacts on the left with 
honest prover instances of the same public-key PKp and on the right with honest verifier instances 
of the same public-key PKy- And, the file F' generated by A is only based on {PKp, PKy}. 

• The session number in left interaction part is equal to the session number in right interaction part, 
i.e., both of them are s{n). 

• We assume A sets the same A/^P-relation TZ^ for all right sessions. 

We remark that both the security model and the security analysis in this work can be easily extended 
to the general case: multiple different honest prover and verifier instances with multiple different public- 
keys; different session numbers in left interactions and right interactions; and allowing setting different 




Figure 1: The CMIM setting in tlie public-key model for ZK 

(admissible) languages for different right sessions. We prefer the simplified formulation for the reason 
that it much simplifies the presentation and security analysis. The (simplified) CMIM setting for 
interactive arguments in the bare public- key model with a PPT s(n)-CMIM adversary is depicted in 
Figure [1] (page [T3|) . 

More formally, with respect to a protocol {P, V) for an (admissible) AAP-language L ^ C with J\fV- 
relation TZl-, an s(n)-CMIM adversary ^'s attack in the BPK model is executed in accordance with the 
following experiment Expt^j\^j^(l", X, W, z), where X = {xi, ■ ■ ■ , Xgi^^)} and W = {wi, • • • , are 
vectors of s{n) elements such that Xi £ Lf] {0, l}P°'-y(^) and {xi,Wi) £ TZc, I <i < s{n): 

Expt^,,,j^{l^,X,W,z) 

Honest prover-key generation. {PKp, SKp) < — Pi(l"). 

Honest verifier-key generation. {PKy,SKv) < — Fi(l"). 

Preprocessing stage of the CMIM. A, on inputs 1", auxiliary input z G {0, 1}* and honest player 
keys {PKp, PKy), outputs {F',t), where F' is a list of, at most s{n), public-keys and r is some 
auxiliary information to be transferred to the proof stage of A. Then, the public file to be used 
in the proof stage is: F = F' U {PKp, PKy}. 

Proof stage of the CMIM. On {F, r) and the predetermined left-session inputs X, A outputs the 
description of the A/''P-relation TZ^ for a language L (that may be different from L) . 

Then, A continues its execution, and may start (at most) s{n) sessions in either the left CMIM 
interaction part or the right CMIM interaction part. At any time during this stage, A can do one 
of the following four actions. 

• Deliver to y a message for an already started right session. 

• Deliver to P a message for an already started left session. 

• Start a new i-th left session, 1 < i < s{n): A indicates a key PKy^ £ F to the honest 
prover P (of public-key PKp). The honest prover P then initiates a new session with (the 
predetermined) input {xi,Wi) and the verifier of PKy^ (pretended by A). 

For CMIM-adversary with (traditional) adaptive input selection, besides PKy^ the CMIM 
adversary A indicates to P, adaptively based on its view, a statement Xi G 
as the input of as the i-th left session. In this case, we require that the membership of 
Xi £ CU {0, can be efficiently checked, otherwise, the experiment may render an 
A/''P-membership oracle to A. In case € £ U {0, (that can be efficiently checked), 

then a witness Wi such that {x\w^) € IZc is given to the prover instance of P; Then, on 
input {xi,Wi) the honest prover P interacts with the verifier of PKy^ (pretended by A). 



• Start a new i-th right session: the CMIM adversary A chooses, adaptively based on its view 
from the CMIM attack, a poly{n)-hit string Xi, and indicates a key PKp^ G F and the J\fV- 
relation language TZ^ to the honest verifier V of pubUc-key PKy] Then, the honest verifier 
V initiates a new session, checks the admissibihty of TZ^, and then interacts with the prover 

of pubhc-key PKp^ (pretended by A) on input (l",Xi,7^|^) in which A is trying to convince 
of the (possibly false) statement "xj E L" . 

• Output a special "end attack" symbol within time polynomial in n. 

We denote by view_/[{l'^ , X, z) the random variable describing the view of A in this experiment 
ExptQ j^j J j^,j{l"',X,W,z), which includes its random tape, the (predetermined) input vector X, the 
auxiliary string z, all messages it receives including the public-keys {PKp, PKy) and all messages 
sent by honest prover and verifier instances in the proof stages. For any {PKp, SKp) G "^x^y 

and {PKv,SKv) G TZ^ey^ we denote by view^^^^'''>'^^^^''\r , X, z, PKp, PKy) the random 
variable describing the view of A specific to {PKp, PKy), which includes its random tape, the 
auxiliary string z, the (specific) {PKp, PKy), and all messages it receives from the instances of 
P{l'',SKp) and V{l'',SKy) in the proof stages. 

Note that in all cases, the honest prover and verifier instances answer messages from A promptly. 
We stress that in different left or right sessions the honest prover and verifier instances use independent 
random-tapes in the proof stages. The adversary's goal is to complete a right session with statement 
different from that of any left session, for which the verifier accepts even if the adversary actually does 
not know a witness for the statement being proved. 



4 Formulating CNMZK in the Public-Key Model, Revisited 

Traditional CNMZK formulation roughly is the following: for any PPT CMIM adversary A of traditional 
input selecting capability (as clarified in Section [3.2p . there exists a PPT simulator /extractor S such 
that S outputs the following: (1) A simulated transcript that is indistinguishable from the real view 
of the CMIM adversary in its CMIM attacks. (2) For a successful right session on a common input x 
different from those of left sessions, S can output a corresponding A/''P-witness of x. 

The requirement (1) intuitively captures that any advantage of A can get from concurrent left and 
right interactions can also be got by S itself alone without any interactions, i.e, A gets no extra advantage 
by the CMIM attacks. The requirement (2) intuitively captures that for any different statement that 
A convinces of V in one of right sessions, A must "know" a witness. 

The formulations of CNM in the public- key model in existing works ( [69^ [60l [22l I61j ) essentially 
directly bring the above traditional CNM formulation into the public-key setting, but with the following 
difference: S will simulate the key-generation phases of all honest verifiers. Put in other words, in its 
simulation/extration S actually takes the corresponding secret-keys of honest verifiers. 

We start clarifying the subtleties of CNM in the public-key model by showing a CMIM attack on 
the CNMZK in the BPK model proposed in [22] . The CMIM attack allows the CMIM adversary to 
successfully convince the honest verifier of some MV statements but without knowing any witness to 
the statement being proved. 

4.1 CMIM attacks on the CNMZK proposed in [22j 

Let us first recall the protocol structure of the protocol of [22]. 

Key-generation. Let {KGQ,SigQ,VerQ) and {KGi,Sigi,Veri) be two signature schemes that secure 
against adaptive chosen message attacks. On a security parameter 1", each verifier V randomly 
generates two pair {verko, sigko) and {verki, sigki) by running KGq and KGi respectively, where 
verk is the signature verification key and sigk is the signing key. V publishes {verko,verki) as its 
public- key while keeping sigk^ as its secret-key for a randomly chosen b from {0, 1} (^ discards 
sigki-i). The prover does not possess public- key. 



Common input. An element x G £ of length poly{n), where C is an A/'P-language that admits S- 
protocols. 

The main-body of the protocol. The main-body of the protocol consists of the following three 
phases: 

Phase-1. The verifier V proves to P that it knows either sigko or sigki, by executing the (partial 
witness-independent) Soi?-protocol on {verkQ,verki) in which V plays the role of knowl- 
edge prover. Denote by ay, ey, zy, the first-round, the second-round and the third-round 
message of the So_R-protocol of this phase respectively. Here ey is the random challenge sent 
by the prover to the verifier. 

If V successfully finishes the So_R-protocol of this phase and P accepts, then goto Phase-2. 
Otherwise, P aborts. 

Phase-2. P generates a key pair (sk,vk) for a one-time strong signature scheme. Let COM be 
a commitment scheme. The prover randomly selects random strings ■s,r € {0,1}*'°'^^"^ and 
computes C = COM{s,r) (that is, P commits to s using randomness r). Finally, P sends 
(C, vk) to the verifier V. 

Phase-3. By running a So_R-protocol, P proves to V that it knows either a witness w for x (z C 
OR the value committed in C is a signature on the message of vk under either verkQ or verki. 
Denote by ap,ep,zp, the first-round, the second-round and the third-round message of the 
TiQR of Phase-3. Finally, P computes a one-time strong signature 6 on the whole transcript 
with the signing key sk generated in Phase-2. 

Verifier's decision. V accepts if and only if the Soij-protocol of Phase-3 is accepting, and 6 is 
a valid signature on the whole transcript under vk. 

Note: The actual implementation of the DDL protocol combines rounds of the above protocol. But, 
it is easy to see that round-combination does not invalidate the following attacks. 

4.1.1 The CMIM attack 

We show a special CMIM attack in which the adversary A only participate the right concurrent in- 
teractions with honest verifiers (i.e., there are no concurrent left interactions in which A concurrently 
interacts with honest provers). 

The following CMIM attack enables A to malleate the interactions of Phase-1 of one session into 
a successful conversation of another concurrent session for different (but verifier's public-key related) 
statements without knowing any corresponding TVP- witnesses. 

Let L be any A/'P-language admitting a S-protocol that is denoted by T,^ (in particular, L can be an 
empty set). For an honest verifier V with its public-key PK = (verkQ,verki), we define a new language 
C = {{x,verko,verki)\3w s.t. {x,w) G TZj^ OR w = sigk^ for b £ {0,1}}. Note that for any string x 
(whether £ E L or not), the statement ^^{x,verkQ,verki) G £" is always true as PK = {verkQ,verki) is 
honestly generated. Also note that >C is a language that admits S-protocols (as So_R-protocol is itself a 
S-protocol). Now, we describe the concurrent interleaving and malleating attack, in which A successfully 
convinces the honest verifier of the statement "(x, verko, verki) G £" for any arbitrary poly{n)-hit string 
X {even when x ^ L) hj concurrently interacting with V (with public- key {verkQ, verki)) in two sessions 
as follows. 

1. A initiates the first session with V. After receiving the first-round message, denoted by a'y, of the 
So_R-protocol of Phase-1 of the first session on common input {verko, verki) (i.e., V^s public-key), 
A suspends the first session. 

2. A initiates a second session with V, and works just as the honest prover does in Phase-1 and 
Phase-2 of the second session. We denote by C, vk the Phase-2 message of the second session, 
where C is the commitment to a random string and vk is the verification key of the one-time 



strong signature scheme generated by A {note that A knows the corresponding signing key sk as 
{vk,sk) is generated by itself). When A moves into Phase-3 of the second session and needs to 
send V the first-round message, denoted by ap, of the S^^-protocol of Phase-3 of the second 
session on common input {x,verko,verki), A does the following: 

• A first runs the SHVZK simulator of T,^ (i-e., the S-protocol for L) [18j on x to get a 
simulated conversation, denoted by {ax,ex,Zx), for the {possibly false) statement "x £ L". 

• A runs the SHVZK simulator of the S-protocol for showing that the value committed in C 
is a signature on vk under one of {verkQ,verki) to get a simulated conversation, denoted by 
{ac,ec,zc)- 

• A sets Op = {a^,a'y,ac) and sends ap to V as the first-round message of the So_R-protocol 
of Phase-3 of the second session, where a'y is the one received by A in the first session. 

• After receiving the second-round message of Phase-3 of the second session, i.e., the random 
challenge ep from V, A suspends the second session. 

3. A continues the first session, and sends e'y = ep © ® ec as the second-round message of the 
So/j-protocol of Phase-1 of the first session. 

4. After receiving the third-round message of the Sop-protocol of Phase-1 of the first session, denoted 
hy z'y, A suspends the first session again. 

5. A continues the execution of the second session again, sends to zp = ((e^, z^), {e'y, z'y), {ec, zc)) 
to V as the third-round message of the Sop-protocol of the second session. 

6. Finally, A applies sk on the whole transcript of the second session to get a (one-time strong) 
signature S, and sends S to V 

Note that (a£,e£,Z£) is an accepting conversation for the (possibly false) statement "x G L", 
{a'y, e'y, z'y) IS ail accepting conversation for showing the knowledge of either sigko or sigki, {ac, ec, zq) 
is an accepting conversation for showing that the value committed in C is a signature on vk under one 
of {verkQ,verki). Furthermore, Cx © e'y © ec = ep, and (5 is a valid (one-time strong) signature on the 
transcript of the second session. This means that, from the viewpoint of V, A successfully convinced V 
of the statement "(x, f er/co, f er/ci) G C" in the second session but without knowing any corresponding 
NV-witnessl 

4.2 Reformulating CNMZK in the BPK model 

In light of the above CMIM attacks, we highlight a key difference between the CMIM setting in the 
public-key model and the CMIM setting in the standard model. 

The key difference: For CMIM setting in the standard model, honest verifiers are PPT algo- 
rithms. In this case, normal CNM formulation only considers the extra advantages the CMIM adversary 
can get from concurrent left sessions, as the actions of honest verifiers in right sessions can be efficiently 
emulated perfectly; But, for CMIM setting in the public-key model, the honest verifier possesses secret 
value (i.e, its secret-key) that can NOT be computed out efficiently from the public- key. In other words, 
in this case an CMIM adversary can get extra advantages both from the left sessions and from the right 
sessions. This is a crucial difference between CMIM settings for standard model and public-key model, 
which normal formulation of CNM does not capture. The CMIM attack on the protocol of [22] clearly 
demonstrates this difference. 

With the above key difference in mind, we investigate reformulating the CNM notion in the public- 
key model. Above all, besides requiring the ability of simulation/extraction, we need to mandate that 
for any CMIM-adversary the witnesses extracted for right sessions are ^^independent" of the secret-key 
used by the simulator /extractor S (who emulates honest verifiers in the simulation/extraction). Such 
property is named concurrent non-malleable knowledge-extraction independence (CNMKEI). CNMKEI is 



formulated by extending the formulation of concurrent knowledge-extraction (CKE) of [66j into the 
more complicated CMIM setting (the CKE notion is formulated with adversaries only interacting with 
honest verifiers but without interacting with provers). Roughly, the CNMKEI is formulated as follows. 

CNMKEI IN THE PUBLIC-KEY MODEL: We require that for any PPT CMIM-adversary A in the 
BPK model, there exists a PPT simulator /extractor S such that the following holds: Pr[7?,(l^, SKy, str)] = 
1 is negligibly close to Vt\TZ(W , S K'y ^ str)] = 1 for any polynomial-time computable relation TZ, where 
SK'y is some element randomly and independently distributed over the space of SKy, str is the simu- 
lated transcript indistinguishable from the real view of A, and W are the joint witnesses extracted to 
successful right sessions in str. Here, for some right session that is aborted (due to CMIM adversary 
abortion or verifier verification failure) or is of common input identical to that of one left session, the 
corresponding witness to that right session is set to be a special symbol _L. 

The formal formulation of the reformulated CNMZK definition in the BPK model is presented below: 

Definition 4.1 (CNMZK in the public-key model) We say that a protocol (P, V) is concurrently 
non-malleable zero-knowledge in the BPK model w.r.t. a class of admissible languages L and some key- 
validating relations TI^ey '^"'^ '^^ey^ '^f for any positive polynomial s(-), any s-CMIM adversary A 
defined in Section \3. SX there exist a pair of (expected) polynomial-time algorithms S = {Skey, Sphoof) 
(the simulator) and E (the extractor) such that for any sufficiently large n, any auxiliary input z G 
{0,1}*, any MV -relation TZl (indicating an admissible language L & C), and any polynomial-time 
computable relation IZ (with components drawn from {0, 1}* U {-L}j, the following hold, in accordance 
with the experiment ^x\ptQ-^-^{V^ , X , z) described below (paae \T8\) : 

• Simulatability. The following ensembles are indistinguishable: 

{51(1", X, PKp, PKv, SKv , z)] XfzL^i-^) ^PKp(iK.p,{PKv,SKv)(in]^EY'^<^{^^^Y "''^^ 

{view^''^^''^'^'-^^''\r , X, PKp, PKv, z)}x^Ls(n) ^PK^^^p^(^PK^SK)€RKEY,ze^^^^ (defined in ac- 
cordance with the experiment Expt^j^,jjj^.j(l'^,X,W,z) described in Section \3.S\) . This in particular 
implies the probability ensembles {S'i(l"', X, 2)}xeL^(") ze{o i}* ^'^'^ {viewj^^l"^ , X, z)}xgl«(") ze{o i}* 
are indistinguishable. 

• Secret-key independent knowledge-extraction. E, on inputs {!"', str, sta), outputs witnesses 
to all (different right) statements successfully proved in accepting right sessions in str (with each 
of the statements different from those of left sessions). Specifically, E outputs a list of strings 
W = {wi,W2, • • • , w's(ra)), satisfying the following: 

— Wi is set to be ±, if the i-th right session in str is not accepting (due to abortion or verifier 
verification failure) or the common input of the i-th right session is identical with that of one 
of left sessions, where 1 < i < s{n). 

— Correct knowledge-extraction for (individual) statements: In any other cases, with overwhelming 
probability [xi,Wi) G IZc, where Xi is the statement selected by P* for the i-th right session in 
str and IZc is the MV -relation for the admissible language L ^ C set by P* for right sessions 
in str. 

— concurrent non-malleable knowledge extraction independence (CNMKEI): Pr[TZ{SKv, W, str) = 
1] is negligibly close to Pr[TZ{SK'Y,W , str) = 1]. This in particular implies that the distribu- 
tions of {PKv,SKv,str) and {PKy, SK'y, str) are indistinguishable (by considering PKy 
encoded inW). 

The probabilities are taken over the randomness of Pi, the randomness of S in the key- generation 
stage (i.e., the randomness for generating (PKy , SKy , SKy)) and in all proof stages, the ran- 
domness of E, and the randomness of A. 

Note that the above CNM formulation in the public-key model implies both concurrent ZK for 
concurrent prover security in the public-key model (note that S emulates the honest prover without 



Honest prover key-generation: 

(PKp, SKp) < — Denote by ICl the set of all legitimate public-keys generated 

by ^1(1"). Note that the execution of Pi is independent from the simulation below. In 
particular, only the public-key PKp is passed on to the simulator. 

The simulator S = (Skey, Sproof)- 

{PKv,SKv,SK'y) < — 5xi?y(l"), where the distribution of (PKy^SKv) is iden- 
tical with that of the output of the key-generation stage of the honest verifier Vi, 
n^EviP^v, SKv) = n^EviP^v, SK'y) = 1 and the distribut ions of SKy and SK'y 
are identical and independent. In other words, SKy and SK'y are two random and 
independent secret-keys corresponding to PKy. 

{str,sta) i — Sp^^o'of '\l'',X,PKp,PKy,SKy,z). That is, on inputs 

(1", X, PKp, PKy, SKy, z) and with oracle access to ^(1", X, PKp, PKy, z) (defined 
in accordance with the experiment E.x'(>f^j^.jjj^j{V^ , X,W, z) described in Section [32]) , 
the simulator S outputs a simulated transcript str, and some state information sta 
to be transformed to the knowledge-extractor E. Note that S does not know the 
secret-key SKp of honest prover, that is, S can emulate the honest prover only from 
its public-key PKp. 

For any X € L''^") and z € {0,1}*, we denote by Si{V^,X,z) the random vari- 
able str (in accordance with above processes of Pi, Skey and Sproof)- For 
any X G L^("), PKp G JCr and {PKy, SKy) € TI\ey and any z G {0,1}*, we 
denote by Si{V^ ,X,PKp,PKy,SKy,z) the random variable describing the first 
output of Sp^j^Q'Q^'^^^'^^^'^\l^,X,PKp,PKy,SKy,z) (i.e., str specific to 

{PKp, PKy, SKy)). 

The knovi^ledge-extractor E: 

W < — E^V^ , sta, str). On {sta, str), E outputs a list of witnesses to (different right) 
statements whose validations are successfully conveyed in right sessions in str, where 
ea,ch of these statements is different from the statements of left sessions. 



knowing its secret-key), and concurrent knowledge-extraction for concurrent verifier security in the 
public- key model formulated in [66]. The CNM formulation follows the simulation-extraction approach 
of [62], and extends the CKE formulation of [6^ into the more complex CMIM setting. We remark 
that, as clarified, mandating the CNMKEI property is crucial for correctly formulating CNM security 
in the public-key model. We also note that the above CNMZK definition in the BPK model can be 
trivially extended to a tag-based formalization version 

4.3 Discussions and clarifications 

Existing CNM formulations in the public-key model do not capture CNMKEI. The CNM 

formulation in the work [60j uses the indistinguishability-based approach of [M]. Specifically, in the 
CNM formulation of [60], two experiments are defined (page 19 of |60]): a real experiment w.r.t. a 
real public-key of an honest verifier (here, denoted PKy), in which a CMIM adversary mounts CMIM 
attacks; a simulated experiment run by a simulator /extractor S w.r.t. a simulated public-key (here, 
denoted PKg), in which S accesses A and takes a simulated secret-key SKg. The CNM is then for- 
mulated as follows: the distribution of all witnesses used by A in right sessions in the real experiment 
is indistinguishable from the distribution of the witnesses used by A in right sessions in the simulated 



experiment. Note that 'fiOj does not require the simulator / extractor to output a simulated indistin- 
guishable transcript. That is, the CNM formulation of [60] does not automatically imply concurrent 
zero-knowledge . 

It appears that the CNM formulation of [60j has already dealt with the issue of knowledge-extraction 
independence. But, a careful investigation shows that it does not. The reason is as follows: 

Firstly, in the real experiment the statements selected by the CMIM adversary A for both left and 
right sessions can be maliciously related to PKy (e.g., some function of PKy), and thus the witnesses 
extracted for right sessions of the real experiment could be potentially dependent on the secret-key SKy 
used by honest players. Note that, as witnessed by the above concurrent interleaving and malleating 
attack on the CNMZK protocol of [22], when extracted witnesses are maliciously dependent on SKy 
knowledge-extraction does not necessarily capture the intuition that A does "know" the witnesses 
extracted. Similarly, as in the simulated experiment S uses SKs in simulation/extraction, the witness 
extracted in the simulated experiment could also be maliciously dependent on SKs- That is, both the 
witnesses extracted in real experiment and in the simulated experiment may be maliciously dependent on 
SKy and SKs respectively, but the distributions of them still can be indistinguishable as the distributions 
of SKy and SKs are identical^ 

The CNMZK formulations in the subsequent works of [22^ [6T] are essentially the traditional CNMZK 
formulation following the simulation/extraction approach, which is incomplete for correctly capture 
CNM security in the public-key model as clarified above. 

CNM with full adaptive input selection. The above CNMZK formulation does not explicitly 
specify the input-selecting capabilities of the CMIM adversary. According to the clarifications presented 
in Section l3.ll there are four kinds of CNM security to be considered: CNM security against CMIM 
with predetermined inputs, CNM security against CMIM with adaptive input selection, CNM security 
against CMIM with predetermined left-session inputs but full adaptive input selection on the right, and 
CNM security against CMIM with full adaptive input selection. 

We briefly note that no previous protocols in the BPK model were proved to be CNM-secure against 
even CMIM with predetermined left-session inputs but full adaptive input selection on the right (i.e., the 
inputs to left sessions are predetermined and the CMIM adversary only sets inputs to right session in the 
fully adaptive way), needless to say to be CNM secure against CMIM with full adaptive input selection. 
Specifically, the standard simulation-extraction paradigm for showing CNM security fails, in general, 
when the CMIM adversary is allowed the capability of full adaptive input selection. 

In more detail, the standard simulation-extraction paradigm for establishing CNM security works 
as follows: the simulator first outputs an indistinguishable simulated transcript; and then extracts the 
witnesses to (different) inputs of successful right sessions appearing in the simulated transcript, one by 
one sequentially, by applying some assured underlying knowledge-extractor. This paradigm can work for 
CMIM adversary with the capability of traditional adaptive input selection, as the input to each right 
session is fixed at the beginning of the right session; Thus, applying knowledge-extractor on the right 
session does not change the statement of the session, which has appeared and is fixed in the simulated 
transcript. 

But, for CMIM adversary of fully adaptive input selection, the standard simulation-extraction 
paradigm fails in general in this case. In particular, considering the adversary always sets inputs 
to right sessions only at the last message of each right session, such case applies to both of the two 
illustrative natural protocol examples presented in Section [3.11 composing coin-tossing and NIZK, and 
the Feige-Shamir-ZK-like protocols. In this case, when we apply knowledge-extractor on a successful 
right session, the statement of this session will however also be changed, which means that the extractor 
may never extract witness to the same statement appearing and being fixed in the simulated transcript. 
More detailed clarifications are given in Section [5. 1^ following the definition of concurrent non-malleable 
coin-tossing in the BPK model. 

On the possibility of CNMZK with adaptive input selection in the BPK model. The 
possibility of CNMZK with adaptive (not necessarily to be fully adaptive) input selection in the BPK 

■^We note that the CNMZK definition in |60] was modified in ^T] in Marcli 2007, after we revealed this observation in 
[66] in January of 2007 (the preliminary version of [66] was submitted to CRYPTO 2007). 



model turns also out to be a quite subtle issue. In particular, we note that (traditional) adaptive 
input selection was highlighted for the CNMZK in [6QJ, but the updated version of [61] are w.r.t. 
predetermined prover inputs (such subtleties were not clarified in [UDl [UT]. It appears that, as noted 
recently in [62] , the existence of CNMZK with adaptive (needless to say fully adaptive) input selection 
in the BPK model might potentially violate Lindell's impossibility results on concurrent composition 
with adaptive input selection [53\ I51j. This raised the question that: whether constant-round CNMZK 
protocols (particularly in accordance with our CNMZK formulation) with adaptive input selection exists 
in the BPK model (or, whether it is possible at least)? 

A careful investigation shows that constant-round CNMZK with adaptive input selection could still 
be possible in the BPK model, and actually our work does imply such protocols with the strongest full 
adaptive input selection. Below, we give detailed clarifications in view of Lindell's impossibility results 
of [53l[51]- Lindell's impossibility results of [53l [51] hold for concurrent (self or general) composition 
of protocols securely realizing (large classes of) functionalities enabling (bilateral) bit transmission. 
The Zero-Knowledge functionality ({x,w),X) {X, {x , R{x , w))) enables unilateral bit transformation 
from prover to verifier. But, when a CNMZK protocol in the plain model is considered, where the 
CMIM adversary can play both the role of prover and the role of the verifier (note that the honest 
verifier can be perfectly emulated by the CMIM adversary in the plain model), it actually amounts to 
realize an extended version of ZK functionality with interchangeable roles that does enable bilateral bit 
transformation in this case. This implies that CNMZK with adaptive input selection is impossible in 
the plain model. 

The ZK (not necessarily CNMZK) protocol for an AAP-language C in the BPK model essentially 
amounts to securely realizing the following functionality: {{x,w), {PKy, SKy)) ^ {{PKy ^TZ^^yiP^V ^ 
SKy)), {x,TZl{x,w))) that enables bilateral bit transmission. This means that when adaptive input se- 
lection is allowed both for prover inputs and verifier's keys, which implies the verifier's keys and thus 
the public file output by the key-generation stage are not fixed but are set accordingly by the CMIM 
adversary in order to transmit bits from honest verifiers to honest provers, even concurrent ZK (needless 
to say CNMZK) may not exist in the BPK model! We highlight some key points that still could allow 
the possibilities of CNMZK with adaptive input selection in the BPK model: 

• Disabling bit transformation from honest verifiers to other players: Note that: in key- 
generation stage, the keys of honest verifiers are generated independently by the honest verifiers 
themselves and cannot be set adaptively by the CMIM adversary; In the proof stages, the keys of 
honest verifiers (actually all keys in the public file) cannot be modified by the CMIM adversary, 
as we assume the public file used in the proof stages remains the same output at the end of 
key-generation stage; Furthermore, in the BPK setting we assume the role of honest verifiers 
with honestly generated keys is fixed. That is, honest verifiers may prove the knowledge of their 
corresponding secret-keys, but they never prove anything else. 

Putting all together, it means that honest verifiers instantiated with their public-keys cannot be 
impersonated and emulated by the CMIM adversary, and their inputs (i.e., the keys generated in 
key-generation stage and then fixed and remaining unchanged for proof stages) and their prescribed 
actions and player role in the proof stages are not infiuenced by the CMIM adversary. This disables 
bit transmission from honest verifiers to other players, which implies that the existence of CNMZK 
with adaptive input selection in the BPK model could still not violate Lindell's impossibility 
results. 

• Disabling bit transformation from other players to honest provers: For a protocol in the 
BPK model, the public-keys registered by honest provers and the public-keys registered by honest 
verifiers can be of different types, and the use of honest-prover keys and the use of honest- verifier 
keys in protocol implementation can also be totally different. Such differences can be on the 
purpose of protocol design, as demonstrated with our CNMCT implementation. Then, for honest 
provers of fixed role in the BPK model, though the CMIM adversary can enable, by adaptive 
input selection, bit transmissions from honest provers to other players, but, in the BPK model, 
the CMIM adversary may not enable bit transmissions from other players to honest provers. 



• Concurrent self composition vs. concurrent general composition in the BPK model: 

We further consider a more general case for any two-party protocol {P, V) in the BPK model. 
Suppose there are some players of fixed role, and some players of interchangeable roles (i.e., players 
who can serve both as prover and as verifier). The direct way for a player in the BPK model to 
be of interchangeable roles is to register a pair of keys (PKp, PKy) and to explicitly indicate its 
role, i.e., prover or verifier, in the run of each session. Then, according to the analysis of [53\ I51j. 
the run of any arbitrary external protocol executed among players of interchangeable roles can be 
emulated, by a CMIM adversary capable of adaptive input selection, in the setting of concurrent 
self composition of the protocol {P, V) among those players. But, the external protocol executions 
involving honest players of fixed roles, however, are not necessarily be able to be emulated by 
self-composition of the protocol involving the honest players of fixed roles. This implies that, 
as long as there are honest players of fixed roles in the BPK model, concurrent self-composition 
with adaptive input selection in the BPK system does not necessarily imply concurrent general 
composability. 

A tradeoff. The above clarifications also pose a tradeoff between players' roles and their CNM security 
levels in the BPK model: For stronger CNM security of adaptive input selection, honest players in the 
BPK model need to be of fixed roles; Of course, honest players can also choose to be of interchangeable 
roles for their own convenience, but with the caveat that CNM security against CMIM of adaptive 
input selection may lose (though CNM with predetermined inputs can still remain). In other words, 
whether to be of fixed role or interchangeable role can be at the discretion of each honest player in the 
BPK model. If one is interested with the stronger CNM security against CMIM of (full) adaptive input 
selection, it is necessary for it to be of fixed role. A typical scenario of this case is: this player is a 
server, who normally plays the same role and takes higher priority of stronger security over Internet; 
However, if one is interested in the convenience of interchangeable role, it can simply register a pair of 
keys (PKp, PKv) and explicitly indicate its role in the run of each session, but with the caveat that 
its CNM security against CMIM of adaptive input selection may lose. 

5 Constant-Round CNM Coin- Tossing in the BPK Model 

Coin-tossing is one of the first and more fundamental protocol problem in the literature pTj. In its 
simplest form, the task calls for two mutually distrustful parties to generate a common random string [9] . 
In this section, we formulate and achieve constant-round concurrent non-malleable coin-tossing in the 
more complex CMIM setting in the BPK model, which can be used to move concurrent non-malleable 
cryptography from common random string model into the weaker BPK model. 

5.1 Definition of CNM coin-tossing in the BPK model 

Let {L, R) be a coin-tossing protocol between a left-player L and a right-player R. (We abuse the 
notations L and R in this section. Specifically, L stands for the left-player and in some context we 
may explicitly indicates L to be a language, R stands for the right-player and in some context we may 
explicitly indicates -R to be a relation.) The CMIM setting for coin-tossing in the BPK model can be 
slightly adapted (actually simplified) from the CMIM setting for CNMZK in the BPK model (formulated 
in Sectioning])- Note that coin-tossing amounts to the functionality: (A, A) ^ (r, r), where r is a random 
string. As players possess no inputs in the coin-tossing functionality, the issue of adaptive input selection 
does not apply to coin-tossing. But, as we shall see, the CNMCT formulated and achieved herein can 
be used to transform CNM cryptography from CRS model to the BPK model with fully adaptive input 
selection. 

To formulate CNMCT in the complex CMIM setting, the rough idea is: for any CMIM adversary 
A there exists a PPT simulator S such that: (1) 5" outputs a simulated transcript str indistinguishable 
from the real view of A, together with some state information sta; (2) S can set, at its wish, ^"random 



coin-tossing outputs" for all (left and right) sessions in str, in the sense that S learns the correspond- 
ing trapdoor information (included in sta) of the coin-tossing output of each session. Intuitively, such 
formulation implies the traditional simulation-extraction CNM security. But, with the goal of trans- 
forming CNM cryptography from CRS model into the weaker BPK model in mind, some terms need to 
be further deliberated. 

Above all, we need require the combination of str and sta should be independent of the secret-key 
emulated and used by the simulator. This is necessary to guarantee that A knows what it claims to 
know in its CMIM attack. 

Secondly, we should mandate the ability of online setting coin-tossing outputs of all sessions appear- 
ing in str, in the sense that S sets the coin-tossing outputs and the corresponding trapdoor information 
(encoded in sta) in an online way at the same time of forming the str. This is critical to guarantee 
CNM security against CMIM with full adaptive input selection. 

Finally, we need to make clear the meaning of "random coin-tossing outputs" . One formulation is to 
require that all coin-tossing outputs are independent random strings. Such formalization rules out the 
natural copying strategy by definition, and thus is too strong to capture naturally secure protocols. On 
the other hand, in order to allow the copying strategy to the CMIM, an alternative relaxed formulation 
is to only require that the coin-tossing output of each individual session is random. But, this alternative 
formalization is too week to rule out naturally insecure protocols (for instance, consider that the CMIM 
manages to set the outputs of some sessions to be maliciously correlated and even to be identical). 
The right formulation should essentially be: the coin-tossing output of each left (resp., right) session is 
either independent of the outputs of all other sessions OR copied from the output of one right (resp., 
left) session on the opposite CMIM part; furthermore, the output of each session in one CMIM part can 
be copied into the opposite CMIM part at most once. 

Legitimate CRS-simuIating algorithm A4crs- Let (r, r^) < — McRsi^"'), where Mors is a 
PPT algorithm. The PPT algorithm McRS is called a legitimate CRS-simulating algorithm with respect 
to a polynomial-time computable CRS-trapdoorness validating relation TZcrSi if the distribution of its 
first output, i.e., r, is computationally indistinguishable from Un (the uniform distribution over strings 
of length n), and IlcRs{^,Tr) = 1 for all outputs of A4crs (typically, is some trapdoor information 
about r). For a positive polynomial s(-), we denote by ({ri, r2, ■, r-s(n)}, {tvi ,Tr2j' ' ' ) '^^^(n) }) 

< — -^CRS^^"^) output of the experiment of running A^ci?s(l") independently s(n)-times, where 
for any i, 1 < i < s{n), (ri,Tr-) denotes the output of the i-th independent execution of Mcrs- 

McRS trivially achievable distribution. Let G be a set of pairs of integers {(«i, ji), (^2) J2)) ■ ■ ■ ,{it, 
where 1 < ii < i2 < ■ ■ ■ < it 1^ s{n) and 1 < ji,j2, ■ ■ ■ ,jt ^ ■s(n) are distinct integers, and < t < s{n) 
such that G is defined to be the empty set when t = 0. Let A4s,n,G be the probability distribution 
over ({0, i}'^)2s(n)^ obtained by first generating 2s{n) — t n-bit strings {xm, y/c|"i G {1, 2, • • • , s{n)}, k € 
{1, 2, ■ ■ ■ , s{n)} — {ji,j2, • • • ,jt}}, by running A^(l") independently 2s{n) — t times, and then defining 
yjd = ^id ^'^^ ^ — — ^ taking (xi,X2,-- - , a^s(n)i yi) 2/2, ■ ■ ■ lUsin)) as the output. A probability 
distribution over ({0, 1}")^'^("^ is called AA. -trivially achievable, if it is a convex combination of Us n G 
over all G's. 

Now, we are ready for a formal definition of concurrently non-malleable coin-tossing (CNMCT) in 
the CMIM setting of the BPK model. 

Definition 5.1 (concurrently non-malleable coin-tossing CNMCT) Let 11 = {L,R) be a two- 
party protocol in the BPK model, where L = {Lkey-,Lproof) and R = {Rkey, Rproof)- We say 
that n is a concurrently non-malleable coin-tossing protocol in the BPK model w.r.t. some key-validating 
relations 'R-^ey '^"'^ ^x^y f^f o,ny PPT s{n)-CMIM adversary A in the BPK model there exists a 
probabilistic (expected) polynomial-time algorithm S = {Skey, Sproof) such that, for any sufficiently 
large n, any auxiliary input z G {0, 1}*, any PPT CRS-simulating algorithm McRS O'^'d any polynomial- 
time computable (CRS-trapdoor validating) relation IZcrSj and any polynomial-time computable (SK- 
independence distinguishing) relationlZ (with components drawn from {0, 1}* U{_L}j, the following hold, 
in accordance with the experiment Expt(2;N]v[CT(l") -2) described below (page WB) : 



Honest left-player key-generation: 

{PKl, SKl) < — Lkey{^^)- Denote by /Cl the set of all legitimate public- keys 
generated by Lkey{^^'')- Note that the execution of Lkey is independent from the 
simulation below. In particular, only the public-key PKl is passed on to the simulator. 

The simulator S = (Skey , Sproof)- 

{PKr, SKr, SK'j^) < — SxEYi^^), where the distribution of {PKr, SKr) is identical 
with that of the output of the key-generation stage of the honest right-player R (i.e., 
Rkey), n^EYiPKR^SKR) = n^j^yiPKR^SK'^) = 1 and the distributions of SKr 
and SK'^ are identical and independent. 

{str,sta) < — Sp'^^Iqp^'-' '\v^,z,PKl,PKr,SKr). That is, on inputs 
(1", z, PKl, PKr, SKr) and with oracle access to ^(1", PKl, PKr, z), the simulator 
S outputs a simulated transcript str and some state information sta. Denote by 
Rl = {R^L^ , R^l\ ■ ■ ■ the set of outputs of the s{n) left sessions in str and 

by Rr = -^R^ ■ ■ ■ ' R^R^^^} the set of outputs of the s(n) right sessions in str. 

The state information sta consists, among others, of two sub-sets (of s{n) components 
each): stoL = {sta^^\ sta^^\ ■ ■ ■ ,sta^^^"^^} and stoR = {sta^^\ sta^^\ ■ ■ ■ ,sta^^"^^)}. 
Note that S does not know secret-key SKl of honest left player, that is, S can emulate 
the honest left-player only from its public-key PKl ■ 

For any z € {0, 1}*, we denote by 5'(1", z) the random variable str (in accordance with 
above processes of Lkey, Skey, and Sproof)- For any z G {0, 1}*, any PKl € JCl 
and {PKr, SKr) G TIkey^ we denote by S{V , z, PKl, PKr, SKr) the random 
variable S{V^,z) specific to {PKl, PKr, SKr). 



• Simulatability. The following ensembles are indistinguishable: 
{5(1", z, PKl, PKr, SKR)}-^„ pj^^^,^^ (^pj^^ sKn)eTiRj,Y,ze{o,i}* (^^d 

{view^^^^''^'^'^'^^''\r,z,PKL,PKR)}^„ pj^^^,^^^^pj^^ SKR)€TZ^^^,ze{o,ir (defined in accordance 
with the experiment Expt^ j^j ^ j^{V\ z) depicted in Section W^ paae [T3\} . This in particular implies 
that the probability ensembles {5(1"', z)}i7i^2g{o,i}* ^"i^-d {viewj\,{l^ , z)}in .^^^Q iy are indistinguish- 
able. 

• Strategy-restricted and predefinable randomness. With overwhelming probability, the dis- 
tributions of {RL,staL) and {RR,staR) are identical to that of M^^^g{V^); furthermore, the dis- 
tribution of {Rl,Rr) is Ad-trivially achievable. 

• Secret-key independence. Vt[R,{SKr, str, sta) = 1] is negligibly close to Y'x[R,{SK'p^, str, sta) = 
!]• 

The probabilities are taken over the randomness of S in the key-generation stage (i.e., the randomness 
for generating {PKr, SKr, SK'p)) and in all proof stages, the randomness of Lkey, the randomness 
of M.CR.S, o-nd the randomness of A. 



5.1.1 Comments and clarifications 

Some comments and clarifications on the CNMCT definition are in place. 



On the strategy-restricted and predefinable randomness property. Note that the formal- 
ization of the strategy-restricted and predefinable randomness property requires that: the coin-tossing 
outputs of all left sessions (resp., all right sessions) are independent (pseudo) random strings and are set 
by the simulator S, in an online way at its wish. We stress that we do not require, by such formalization, 
that the coin-tossing outputs of all left and right sessions are independent. That is, we do not require 
the distribution of {{Sl, Sji){staL, staji)) is identical to that of A^^*^g^(l"). The later formalization 
rules out the natural copying strategy by definition, and thus is too strong to naturally capture CNM- 
secure cryptographic protocols. On the other hand, in order to allow the copying strategy to the CMIM 
adversary, another alternative relaxed formalization is: we only require that the coin-tossing output of 
each individual (left or right) session is identical to McRsi^^)- But, this alternative formalization is too 
week to rule out naturally insecure protocols. Specifically, consider that a CMIM adversary manages to 
set the outputs of some (and maybe all) sessions to be the same string or to be maliciously correlated 
in general. In this case, it is still can be true that the output of each individual session is still identical 
to M.cRs{^^)i but clearly not secure as coin-tossing outputs are maliciously correlated. 

Our formalization essentially implies that: the coin-tossing output of each left (resp., right) session 
is either independent of the outputs of all other sessions OR copied from the output of one right (resp., 
left) session in another CMIM part; furthermore, the output of each session in one CMIM part can be 
copied into another CMIM part at most once. 

On the ability of online setting all coin-tossing outputs and its implication of CNM 
security against CMIM of full adaptive input selection. Note that in the above CNMCT formulation, 
the simulator S not only outputs a simulated transcript that is indistinguishable from the real view 
of the CMIM adversary, but also, S sets and controls, at the same time in an online way, the coin- 
tossing outputs of all left and right sessions in the simulated transcript (in the sense that S knows 
the corresponding trapdoor information of all the coin-tossing outputs appearing in the simulated 
transcript). This ability of S plays several essential roles: Firstly, setting the outputs of all CNMCT 
sessions (at its wish in an online way) is essential, in general, to transform CNM cryptography in the 
CRS model into CNM cryptography in the BPK model, as in the security formulation and analysis of 
CNM protocols in the CRS model the simulator does control and set all simulated CRS; Secondly, such 
ability of S is critical for obtaining CNM security against CMIM with full adaptive input selection, which 
is addressed in detail below. 

For more detailed clarifications about this issue, consider a protocol (e.g., a ZK protocol) that is 
resulted from the composition of a coin-tossing protocol in the BPK model and a protocol (e.g., an 
NIZK protocol) in the CRS model, and assume the CMIM adversary sets input to each session of the 
composed protocol at the last message of that session. In particular, the input to each session can 
be an arbitrary function of the coin-tossing output and will be different with respect to different coin- 
tossing outputs. Now, suppose the simulator /extractor cannot set the coin-tossing outputs of all right 
sessions in an online way; That is, for some (at least one) successful right sessions in the simulated 
transcript, the simulator fails in setting the coin-tossing outputs of these sessions, and thus learning no 
trapdoor information enabling on-line knowledge-extraction. In case the inputs of these right sessions 
do not appear as inputs of left sessions, then, in order to extract witnesses to the inputs of such 
successful right sessions appeared in the simulated transcript, the simulator /extractor has to rewind the 
CMIM adversary and manages to set, one by one sequentially, the coin-tossing outputs of these right 
sessions. But, the problem is: whenever the simulator /extractor is finally able to set (if it is possible), 
at its wish, the output of a right session in question, the input to that right session set by the CMIM 
adversary is however changed (as it is determined by the output of coin-tossing). This means that 
the simulator /extractor may never be able to extract the witnesses to all the inputs of successful right 
sessions appeared in the simulated transcript. The above arguments also apply to Feige-Shamir-ZK-like 
protocols as illustrated in Section 13.11 We remark that, it is the ability of online setting the outputs 
of all coin-tossing sessions, in our CNMCT formulation and security analysis, that enables us to obtain 
CNM security against CMIM of full adaptive input selection. 

On the generality of CNMCT. We first note that CNMCT in the BPK model actually implies 
(or serves as the basis to formulate) concurrent non-malleability with full adaptive input selection for 



any cryptographic protocols in the BPK model. The reason is: concurrent non-malleability for any 
functionality can be implemented in the common random string model [21k il4j . By composing any 
concurrent non-malleable cryptographic protocol in the CRS model with a CNMCT protocol in the 
BPK model, with the output of CNMCT serving as the common random string of the underlying 
CNM-secure protocol in the CRS model, we can transform it into a CNM-secure protocol in the BPK 
model. In particular, we can view the composed protocol as a special (extended) coin-tossing protocol. 
Specifically, to define the CNM security for any protocol in the BPK model, which is resulted from the 
composition of a CNM-secure protocol in the CRS model and a CNMCT protocol in the BPK model, we 
just view the composed protocol as a special (extended) coin-tossing protocol, and apply the CNMCT 
formulation to get the CNM security formulation for the composed protocol. 

With CNMZK as an illustrative example, when composed with adaptive non-malleable NIZK ar- 
guments of knowledge protocols (e.g., the robust NIZK of [21] for AfV), CNMCT implies (tag-basecjl) 
concurrent non-malleable zero-knowledge arguments of knowledge (for AfV) with full adaptive input 
selection in the BPK model. But, we do not need to explicitly formulate the (adaptive input-selecting) 
CNM security for ZK protocols in the BPK model. Specifically, we can view the composed protocol (of 
CNMCT and robust NIZK) as a special version of coin-tossing and note that in this case {str, r) implies 
knowledge-extraction. Then, the properties of simulatability and strategy-restricted and predetermined 
randomness of CNMCT implies simulation-extraction, by viewing A4crs as the CRS simulator of the 
underlying NMNIZK. The secret-key independent knowledge extraction is derived from the property of 
secret-key independence of CNMCT. 

5.2 Implementation and analysis of constant-round CNMCT in the BPK model 

High-level overview of the CNMCT implementation. We design a coin-tossing mechanism in 
the BPK model, which allows each player to set the coin-tossing output whenever it learns its peers's 
secret-key. The starting point is the basic and famous Blum-Lindell coin-tossing [9l |39]: the left- 
player L commits a random string a, using randomness So-, to c = C(fT, s^) with a statistically-binding 
commitment scheme C; The right-player R responds with a random string r^; L sends back r = cj © r; 
and proves the knowledge of (cr, So-). To render the simulator the ability of online setting coin-tossing 
outputs against malicious right-players, R proves its knowledge of its secret-key SKr (using the key- 
pair trick of [59j), and L accordingly proves the knowledge of either (a, s^-) or SKr. To render the 
ability of online setting coin-tossing outputs against malicious left-players, L registers c = C{a,Sa) as 
its public-key and treats a as the seed of a pseudorandom function PRF; L then sends that commits to 
ri = PRF(j{r[)] after receiving r^- from R, it returns back r = ri®rr and proves the knowledge of either 
its secret-key SKl = {a,So-) (such that r = © PRFfj{r[)) or the right-player's secret-key SKr. The 
underlying proof of knowledge is implemented with PRZK. But, correct knowledge-extraction with bare 
public-keys in the complex CMIM setting is quite subtle. At a very high level, the correct knowledge 
extraction, as well as the CNM security, is reduced to the one-left-many-right non-malleability of PRZK. 

Now, we present the implementation of constant-round CNMCT {L,R) in the BPK model, which 
is depicted in Figure [2] (page [26l) . Each player L = {Lkey-,Lproof) oi R = {Rrey, Rproof) works 
in two stages: the key-generation stage (to be run by Lkey and Rrey) and the proof stage (to be run 
by L PROOF and Rproof)- But, for presentation simplicity, we often write L and R directly without 
explicitly indicating the key-generation algorithm and the proof algorithm (which are implicitly clear 
from the context). 

Notes on CNMCT implementation: Note that the PRZK is used as a building tool in the 
coin-tossing protocol. That is, PRZK is composed concurrently with other sub-protocols (rather than 
composed concurrently with itself). Also note that the tag of PRZK in Stage-5 is set interactively. For 
presentation simplicity, we have described commit-then-PRZK, as well as PRZK, to work on concrete 

^The tag-based CNM security of the composed protocol is inherited from that of robust NIZK. Here, we note that 
the CNM security formulation and protocol implementation of robust NIZK [21) actually implies tag-based CNM security, 
though it was not explicitly mentioned and formalized there. 



Right-player key registration: Let / : {0, 1}* {0, 1}* be a one-way function. On a security parame- 
ter n, the right-player R (actuaUy Rkey) randomly selects sqi si from {0, 1}", computes = f{sQ), 
Hi = f{si). R publishes PKfj = (yo, Vi) as its public-key, and keeps SKu — Sb as its secret-key for a 
random bit b G {0, 1} while discarding SK' — si-b- Define TZ^ey — {iiuo, yi)ix)\y() — f{x) \/ yi = 
f{x)}, and JCr the corresponding TVT'-language. 

Left-player key registration: Let C be a (non-interactive) statistically-binding commitment scheme. 
Each left-player L (actually Lkey) selects a G {0,1}" and G {0,1}p°'^(") uniformly at random, 
computes c = C((T, s^) (i.e., committing to a using randomness Sa)- Set PK^ = c and SKl — (ct, Sa), 
where cr serves as the random seed of a pseudorandom function Pi?_F. Define /C^ = {c\3{x, s) s. t. c = 
C{x, s)}. (We note that the left-player actually can also use Naor's OWF-based statistically-binding 
commitment scheme, in this case each right player's public-key will additionally include a 3n-bit 
string serving as the first-round of Naor's commitment scheme.) 

Note on fixed vs. interchangeable roles In the above key-registration description, we have assumed 
protocol players do not interchange their roles. This is critical for achieving CNM security against 
CMIM adversary capable of full adaptive input selection in the BPK model. But, as clarified in 
Section l473l each player can also choose the ability of playing both (left-player and right-player) roles, 
by setting the pubfic-key to be PK = {PKl, PKr) and the secret-key to be SK = [SKl.SKr). 
In this case, this player may lose CNM security against adaptive input selecting CMIM adversary, 
but still hold CNM security with predetermined inputs in the BPK model. That is, whether playing 
with fixed role or interchangeable roles can be at the discretion of each individual player. The system 

may involve players of fixed role, as well as players of interchangeable role. 

Stage-1. The right-player R (actually Rproof) computes and sends Csk = C{SKfi, Ssk), where C is a 
constant-round statistically-binding commitment scheme and Ssk is the randomness used for commit- 
ment; Define Csk = {((j/o, 2/i), c.fc)|3(s,fc, 5X) s.t. Csk = C {S K , s sk) Myo = f{SK)Wyi = fiSK))}. 
Then, R proves to the left-player L the knowledge of (SKr, Ssk) such that {{PKr, Csk), {SKu, Csk)) & 
TlcsKJ by running the Pass- Rosen non-malleable ZK (PRZK) for AfV with the tag set to be 
{PKl, PKn = (j/OiJ/i)) that is referred to as the right tag. The composed protocol of statistically- 
binding commitments and PRZK is called commit-then- PRZK. 

Stage-2. The left player L (actually Lpjioop) randomly selects r[ ^ {0, 1}", and sends r[ to R. 

Stage-3. The right player R randomly selects ^ {0, 1}" and sends to the left player. 

Stage-4. The left player computes r; = PRF„{r'i) (where a is the random seed of PRE committed in i's 
public-key PK]^), and sends r = r; © r.^ to the right player. 

Stage-5. L computes and sends Ccrs = C{a\\sa-, Scrs), where "||" denotes the operation of string con- 
catenation. Define Ccrs = {{PKl = C{a,Sa),PKR = {yo,yi),r'i,rr,r,Ccrs)\^ix, s, Scrs) s.t. Ccrs = 
C{x\\s, Sar,) AUPKl = C{x, s) APRF^ir'i) = r ®rr)V yo = f{x)\/ yi ^ f{x)]}. Then, L proves to i? 
the knowledge (cr, s^-, s^s) such that {{PKl, PKR,r'i,rr,r, Ccrs), {'^y s^, Scrs)) e TIccrs^ by running 
the PRZK for AfV with the tag set to be {PKL,rr, r) that is referred to as the left tag. That is, L 
proves to R that either the value committed in Ccrs is SKl — {cr, Sa) such that PRF„{r[) = r (B Vr 
OR the n-bit prefix of the committed value is the preimage of either yo or yi. W.l.o.g., we can 
assume the left-tag {PKL,rr,r) and the right-tag {PKL,yo,yi) are of the same length (the use of 
the session tags will be clear in the security analysis). 

The result of the protocol is the string r. We will use the convention that if one of the parties aborts (or 
fails to provide a valid proof) then the other party determines the result of the protocol. 



Figure 2: Constant-round CNMCT in the BPK model 

statements in Stage-1 and Stage-5. In actual implementation, both commit-then-PRZK and PRZK 
work for some A/'T-'-Complete languages, and the actual statements to be proved by commit-then-PRZK 
and PRZK are got by applying A/'P-reductions, while the tags remaining unchanged. With Stage-1 
as the illustration example, the verifier actually first reduces PKr into an instance, denoted spx^, 
of some A/'T^-Complete language, which serves as the input to commit-then-PRZK of Stage-1 and the 
statistically-binding commitment Cgk actually commits to the corresponding A/'T'-witness of spx^', then. 



the actual input to the subsequent PRZK is reduced from {spKji,Csk)- The same treatment also applies 
to Stage-5. Note that the left and right tag strings could be arbitrarily different from (thought still 
polynomially related to) the actually statements reduced by AA'P-reductions. We remark that in the 
actual implementation of the above CNMCT protocol, PRZK can be replaced by any adaptive tag- 
based one-left-many-right non-malleable (in the sense of simulation-extraction) statistical ZK argument 
of knowledge for MV. But, PRZK is currently the only known one. 

Theorem 5.1 Assuming OWF, and one-left-many-right adaptive tag-based non-malleable ZK argu- 
ments of knowledge for J\fV (in the sense of simulation/ extraction), the protocol 11 = {L,R) depicted in 
Figure\Eis a constant-round concurrent non-malleable coin-tossing protocol in the BPK model. 

Proof (sketch). 

Underlying complexity assumptions 

Note that PRF can be implemented with any OWF [38^ I46j. and the players can use Naor's OWF- 
based statistically-binding commitments in key-registration. The (only) known adaptive tag-based 
one-left-many-right non-malleable statistical ZK argument of knowledge for J\fV is the Pass-Rosen ZK 
|631 163] , which is in turn based on collision-resistant hash function [H |1] . 

The (high-level) description of the simulator 

On security parameter 1", for any positive polynomial s(-) and any PPT s(n)-CMIM adversary A 
in the BPK model with auxiliary information z S {0,1}*, the simulator S = {Skey, Sproof), with 
respect to the honest left-player key-registration algorithm Lkey and a CRS simulating algorithm 
J^CRS is depicted in Figure [3] (page [28|) . In the description, the notation of m denotes a message 
sent by the simulator (emulating honest players), and m denotes the arbitrary message sent by the 
CMIM-adversary A. 



Notes on the CNM simulation: For any i, 1 < i < s{n), if in the i-th left (resp., right) session of 
the simulation A does not act accordingly or fails to provide a valid proof, then S aborts that session, 
and sets the output just to be S^^^ (resp., 5j^^) and the state information to be t^^ (resp., t^'^)- 

Note that in Case-R2 of right-session simulation (i.e., a successful right-session w.r.t. a left-player 

key PK^^ = PKl), the simulator does not try to extract the secret-key of PK^. In the following 
analysis, we show that in this case, with overwhelming probability, the tag of Stage-5 of this successful 
right session is identical to that of Stage-5 of a left-session. As the tag of Stage-5 of a session consists of 
the session output (i.e., the coin-tossing output), this implies that the session output of the right-session 
is identical to that of one of left-sessions. Moreover, we show that with overwhelming probability each 
left-session output can appear, as session output, in at most one successful right-session. 

In the unlikely event that A finishes a right session and the Stage- 1 of a left-session simultaneously, 
both of which are w.r.t. uncovered public-keys, extracting SKr in left simulation part takes priority 
(in this case, SKl extraction in right simulation part is ignored in the current simulation repetition). 

During any (of the at most s{n) + 1) simulation repetition, if S does not encounter secret-key 
extraction and does not stop due to Case-Rl failure or Case-R2 failure, then 5 stops whenever A stops, 
and sets sir to be F and the view of A in this simulation repetition and sta = {stai, stap) to be the 
according state-information. 

Analysis of the CNM simulation 

In order to establish the CNM security of the coin-tossing protocol depicted in Figure [21 according to 
the CNMCT definition of Definition 15. 11 we need to show the following properties of the CNM simulator 
S described in Figure [3) 

• S works in expected polynomial-time. 

• The simulatability property, i.e., the output of S is computationally indistinguishable from the view of 
A in real CMIM attack. 



External honest left-player key-generation: Let {PKl,SKl) < — Lkey{^^''), where PKl = c and 
SKl = {cr, Scr) such that a e {0, 1}" and € {0, and c = C{a, s^)- This captures the fact that S 
does not know SKl and can emulate the honest left-player with the same public- key PKl- 

Public-key file generation: 

Skey{^") perfectly emulates the key-generation stage of the honest right-player, getting PKr = (yo = 
/(so)) 2/1 = /(si)) and SKr = Sh and SK'^ = s\-b for a random bit b. 

Denote by F' the list of at most s{n) public-keys generated by A on (1", PKl, PKji, z), then the public-key 
file of the system is F = F' U {PKl, PK^} (i.e., the proof stages are w.r.t. F). 

S <— {{PKji, SKji)} (i.e. initiate the set of covered keys <S to be {{PKn, SKn)})- 

On input {l"- , z, F' , PKl, PKr, SKji) and with oracle access to A{PKl, PKr, F' , z), the following 
process is run by S proof repeatedly at most s{n) + 1 times. In each simulation repetition, S tries to 
either end with a successful simulation or cover a new public-key in F — S. 



Straight-line left simulation: 

In the i-th left concurrent session (ordered by the 
time-step in which the first round of each session 

is played) between S and A in the left CMIM 
interaction part with respect to a public-key 

as follows: 



1 < hj < s{n), S acts 



In case A successfully finishes Stage-1 and 
F' — S, the simulator ends the 



PK 



current repetition of simulation trial, and 
starts to extract a secret- key SK^' such that 
n^j^y{PK''^\SK^^^) = 1, which is guaranteed 
by the AOK property of PRZK. Then, let 
S ^ S[J {{PK^^\SK^^^)}, and move to next 
repetition with fresh randomness (but with the 
accumulated covcrcd-key set S and the same 
public-key file F). 

In case A successfully finishes Stage- 1 and 
PK\^^ € S (i.e., S has already learnt the secret- 



key SK'j^^) 



S randomly selects 



{o,ir 



and sends r\ to ^ at Stage-2. After receiving 



Stagc-3 message, denoted r). , from A, S in- 
vokes A4cRs{^") and gets the output denoted 
(S'{;\t|^'^). S then sends = ^^'^ as the 

Stage-4 message (rather than sending back 



r(') ^ PRF„{rf) 
does), and sets sta 



I r 

(i) 



Ccrs 



as the honest left-player 
= T^. In Stage-5, S 
C{SK^^^\\0'(-\s^l) 



computes and sends Cc 

to A (rather than sending back Ccrs = C((t ||S(j) 
as the honest left-player does), where t{n) is 
the length of in SK^. Finally, S finishes the 

tage-5 wi 
and {PKl, f^\S^L^) as the tag. 



PRZK of Stage-5 with {SK'^\scrs) as its witness 



Straight-line right simulation: 

In the i-th right concurrent session (ordered by the 
time-step in which the first round of each session is 
played) between S and A in the right CMIM interaction 
part with respect to a public-key PK'f^ = c^^^ € ICl, 
^ 1^ hi < s{n), S acts as follows: 



S perfectly emulates honest right-player in Stage-1 
of any right session, with SKr as the witness to 
commit-then-PRZK and {PK^^\pKr) as the tag. 

Case-Rl: If PAT^f^ G S (i.e., S has aheady learnt 



the secret-key SK^,^^ = {a'^i\s^^ 
from A at Stage-2, S runs M^cb,s{^^) and gets the 



Sa'))i after receiving ff^' 



output denoted (5*^ 



sends PRF, ■ - 



5« 



and then computes and 
as Stage-3 message, and goes 



further. 



Case-R2: If Pk'^I' ^ 5 U {PKl\, and A successfully 
finishes the i-th right session (in which 5* just perfectly 
emulates the honest right-player of PKr), then the 
simulator S ends the current repetition of simulation 
trial, and starts to extract a secret-key SK^^ such that 



sk9^) 



1. In case S fails to extract 
such SKY , S stops the simulation, and outputs a special 
symbol 1. indicating simulation failure. Such simulation 
failure is called Case-R2 failure. In case S successfully 



extracts such SK^i\ then let S ^ SyJiiPK^^l' ,SK)^')}, 
and move to next repetition with fresh randomness (but 
with the accumulated covered-key set S and the same 
public- key file). 

Setting staR: For successful i-th right session, if the 



0) 



Stage-4 message f^^^ is S*]^ or S)^ for some k, 1 < k < 
s{n), then sta^' is set accordingly to or t^^; other- 

(i) 

wise, stop is set to be -L. 



Figure 3: The CNM simulation 



The property of strategy-restricted and predefinable randomness. 



• The secret-key independence property. 

In the following, we analyze the above four properties of the CNM simulator S case by case. 

• S works in expected polynomial-time 

Note that S works for at most s(n) -|- 1 repetitions. Then, pending on the ability of S to extract 
secret-key of uncovered public-keys in expected polynomial-time during each repetition (equivalently, 
within running-time inversely propositional to the probability of secret-key extraction event occurs) , S 
will work in expected polynomial-time. The technique for covering public-keys follows that of [12^ [5]. 
Below, we specify the secret-key extraction procedures in more details. 

(?) 

Right-player key coverage. Whenever S needs to extract the secret-key SKj^ corresponding 

(i) 

to an uncovered public- key PK^ , due to successful Stage- 1 of the i-th left session during the k-th 
simulation repetition w.r.t. covered key set S^^\ 1 < i,j < s{n) and 1 < k < s(n) -|- 1, we combine 
the CMIM adversary A and the simulation other than Stage-1 of the i-th left session (i.e., the public 
file F, the covered key set S^^\ the randomness r_4 of A, and the randomness rg used by S except 
for that to be used in Stage-1 of the i-th. left session) into an imaginary (deterministic) knowledge 
prover Pj-^^^}^ Note that, by the description of the CNM simulation depicted in Figure [3l the 

Stage-1 of the i-th left session is the first successful Stage-1 of a left session finished by A (during the 
A;-th simulation repetition) with respect to an uncovered public-key not in S^''\ The knowledge-prover 
P^^^lk) j.^^ only interacts with a stand-alone knowledge- verifier of commit-then-PRZK, by running A 

internally and mimicking S with respect to S^''^ but with the following exceptions: (1) the messages 
belonging to the Stage-1 of the i-th left session are relayed between the internal A and the external 
stand-alone knowledge-verifier of PRZK; (2) Pj^g^k) ^ ^ ^ ignores the events of secret-key extraction in 
right simulation part, i.e., successful right sessions with respect to uncovered (left-player) public-keys; 
(3) whenever A (run internally by Pjy2) J successfully finishes, for the first time, Stage-1 of a left 



session w.r.t. an uncovered (right-player) public-key not in S^'^^ ^(s^w r^r^) ^^^^ stops. 

For any intermediate S^^^ used in the k-th. simulation repetition, any PK^^ S''^\ any randomness 
of A and any randomness rs used by S except for that to be used in Stage-1 of the i-th left session, 
denote by p the probability (taken over the coins used by S for Stage-1 of the i-th left session) that the 
public-key used by A in Stage-1 of the i-th left session is PK^\ and furthermore, the Stage-1 of i-th 
left session is the first fist successful Stage-1 of a left session w.r.t. an uncovered public-key during the 
simulation of S w.r.t. covered-key set S^^\ In other words, p is the probability, taken over the coins 
used by iS for Stage-1 of the i-th left session (but for fixed other coins), of the event that S needs to 
cover PK'^J^^ ^ S^'''^ in the i-th left session in its simulation w.r.t. S^^\ Clearly, with probability at least 
p, the knowledge prover P^^J^k) ^ ^ ) successfully convinces the stand-alone knowledge verifier of PK^ . 

" (i i) 

By the AOK property of PRZK and applying the knowledge-extractor on P^^^lk) r^r^)' secret-key 

SK^ will be extracted within running-time inversely propositional to p. Here, when p is negligible, 
standard technique, originally proposed in [39] and then deliberated in [49j, has to be applied here (to 
estimate the value of p) to make sure expected polynomial-time knowledge-extraction. In more detail, 
the running-time of the naive approach to directly applying knowledge-extractor whenever such events 

_q(n) 
p—K{n) ' 

related to the running time of the knowledge-extractor that is — The subtle point is: when p 
is negligible, T{n) is not necessarily to be polynomial in n. The reader is referred to [39^ 09] for the 
technical details of dealing with this issue. 
Left-player key coverage. 



occur is bounded by T(n) = p ■ -^^^t^, where «;(n) is the knowledge-error and q{-) is the polynomial 



The coverage procedure for uncovered (left-player) public-keys used by A in successful Stage-5 of 
right sessions can be described accordingly, similar to above right-player key coverage. The key point 

to note here is: for a successful right session with respect to an uncovered (left-player) public-key 

(7) (7) 
PK^ , the value extracted in expected polynomial-time is not necessarily to be the secret-key SK^ , 

though the value extracted must be either SK^^ or SKr (i.e., the preimage of either yo or yi) , where 
PKji = {yo,yi) is the simulated (right-player) public-key. That is, S may abort due to Case-R2 failure 
(though it works in expected polynomial-time). We show, in the following analysis of the simulatability 
property, Case-R2 failure occurs with at most negligible probability. 

• Simulatability 

For presentation simplicity, in the following analysis of simulatability we assume the first output 
of McRS is truly random string of length n, i.e., all S^^^'s and S^^s are truly random strings. The 
extension of the simulatability analysis to the case of pseudorandom output of AicRS is direct. 

Assuming truly random output of McRSi there are three differences between the simulated tran- 
script output by S and the view of A in real CMIM attack against the honest left-player of PKl and 
the honest right-player of PK^: 

Truly random vs. pseudorandom Stage-4 messages: In simulation, the simulator S sends truly 
random string r^*) = S^^^ at Stage-4 of the i-th left session, for any i, 1 < i < s{n). But, the 
honest left-player sends a pseudorandom Stage-4 message, i.e., r^*^ = PRF„{rf') e f^, where 
r| and fr are the Stage-2 and Stage-3 messages of the i-th left session. 

(7) 

Witness difference of Stage-5 of left sessions: For any i-th left session w.r.t. a public-key PiT^j £ 

S, the witness used by S in the commit-then-PRZK of Stage-5 is always the extracted secret-key 
(7) 

SK^ , while the witness used by the honest left-player is always its secret-key SK^. 

Case-R2 failure: S may stop with simulation failure, due to invalid secret-key extraction in Case-R2 
in the right simulation part. 

We first show that, conditioned on Case-R2 failure does not occur, the output of S is indistinguishable 
from the real view of A. Specifically, we have the following lemma: 

Lemma 5.1 Conditioned on Case-R2 failure does not occur, the following ensembles are indistinguish- 
able: {S{V^,z,PKL,PKR,SKB)}^r,^PK^izK.^XPKR,SKR)(i'R.'^^Y'-'''^{^'^}* (defined in Definition and 
{view^^^^''^'^''^^''\l'' , z, PKl, PKR)}^n pK^^iCL,{PKn,SKn)e'R.§^Y,z€{o,ir (defined in accordance with 
the experiment £xpf^^jj\,^(l", z) depicted in Section page [731) . 

Proof (of Lemma 15. ip . We first note that, conditioned on Case-R2 failure does not occur and 
assuming the truly random output of McRS-, S perfectly emulates the honest right-player of PKr in 
right simulation part. 

The left two differences all are w.r.t. left session simulation. Intuitively, in real interaction the seed 
a of PRE is committed into left-player public-key PKl and is re-committed and proved concurrently 
in Stage-5 of left sessions, the CMIM adversary may potentially gain some knowledge about the random 
seed a by concurrent interaction, which enabling it to set its Stage-3 messages of left sessions maliciously 
depending on the output of PRFu. Note that in real interaction, the Stage-4 messages sent by honest 
left-player are determined by the PRF seed and the Stage-2 messages. Thus, the Stage-4 messages of left 
sessions in real interaction may be distinguishable from truly random strings as sent by the simulator 
S in simulation. The still indistinguishability between the simulated transcript and the real view of A 
is proved by hybrid arguments. 

We consider a hybrid mental experiment 7i. 7i mimics 5(1", z, PKl, PKp, SKli), with additionally 
possessing SKl = {cr, Sa) and with the following exception: At Stage-4 of any left session, H just 



emulates the honest left-player by setting the Stage-4 message r^*) to be PRFf^{ri ) ©f^ (rather than 
sending 5^*^ as S does); In Stage-5 of any left session w.r.t. a covered key PK^^ (for which Ti. has 
already learnt the corresponding secret-key SK^^), H still emulates S by using the extracted secret- 
key SK^^ as the witness (specifically, it commits to S'iC^''||0* and finishes PRZK accordingly as the 
simulator S does). 

The difference between the view of ^ in and the view of A in the simulation of S lies in the 
difference of Stage-4 messages of left sessions. Suppose that the view of ^ in H is distinguishable from 
the view of A in the simulation of S, then it implies that there exists a PPT algorithm D that, given 
the commitment of the PRF seed, i.e., PKl = C{a,Sa), can distinguish the output of PRFu from truly 
random strings. Specifically, on input PKl, D emulates W or 5* by having oracle access to PRF„ or a 
truly random function; Whenever it needs to send Stage-4 message in a left session, it just queries its 
oracle with the Stage-2 message. Clearly, if the oracle is PRF^j, then D perfectly emulates TC, otherwise 
(i.e., the oracle is a truly random function), it perfectly emulates the simulation of S. 

So, we conclude that if the view of ^ in 7^ is distinguishable from the view of A in the simulation 
of S, then the PPT algorithm D that, given the commitment of the PRF seed a, can distinguish the 
output of PRFfj from that of truly random function. Consider the case that D, given the commitment 
c = C{a), has oracle access to an independent PRF^ji of an independent random seed a' or a truly 
random function. Due to the pseudorandomness of PRF, the output of D{c) with oracle access to 
PRF^i is indistinguishable from the output of D{c) with oracle access to a truly random function. It 
implies that D, given the commitment c = C{a), can distinguish the output of PRF^j and the output 
of PRFf^i, where a and a' are independent random seeds. But, this violates the computational hiding 
property of the commitment scheme C. Specifically, given two random strings of length n, (sq, si), and 
a commitment = C(sfc) for a random bit b, the algorithm D can be used to distinguish the value 
committed in Cb, which violates the computational hiding property of C. 

Now, we consider the difference between the output of Ti and the view of A in real execution. Recall 
that, as we have shown the view of ^ in 7^ is indistinguishable from that in the simulation and we have 
assumed Case-R2 failure does not occur in the simulation of S, Case-R2 failure can occur in Ti with 
at most negligible probability. Then, the difference between the output of Ti. and the view of A in real 
execution lies in the witnesses used in Stage-5 of left sessions. Specifically, TC still uses the extracted 
right-player secret-keys in Stage-5 of left sessions, while the honest left-player always uses its secret-key 
SKl in Stage-5 of left sessions in real execution. By hybrid arguments, the difference can be reduced to 
violate the regular WI property of commit-then-PRZK. Note that commit-then-PRZK is itself regular 
WI for MV (actually, any commit-then-SWI is itself regular WI). 

In more detail, we consider the mental experiment M^, b € {0, 1}. On input {{PKl, SKl), (PKr, SKji)} 
and public file F, and auxiliary information z to the CMIM adversary A^, the mental Mi, also takes 
as input all secret-keys corresponding to right-player public-keys in the public file F (in case the corre- 
sponding secret-keys exist). Mb runs the CMIM adversary A as follows: 

1. Mb emulates the honest right-player of PKji (with SKr as the witness) in right sessions. In par- 
ticular, M just sends truly random Stage-3 messages in all right sessions, and ignores knowledge- 
extraction of left-player secret-keys in right sessions (i.e., in case A successfully finishes a right 
session w.r.t an uncovered public-key PKf^ , Mb ignores the need of secret-key extraction and just 
moves on); 

2. For any i, j , 1 < i < s(n) and 1 < j < s(n) + l, in the i-th left session w.r.t. right-player public-key 
PK^^\ Mb emulates the honest left-player of PKl until Stage-4 (in particular, it sets the Stage-4 
message r^*) to be PRFa-lr^^^') fr^), but with the following exception in Stage-5: 

• If 6 = 0, then Mb just emulates the honest left-player in Stage-5 of the left session, with SKl 
as its witness. 

^Recall that, in accordance with the definition of CNMCT, z is a priori information of A that is independent from the 
public file F (in particular, PKl and PKr). 



• If b = 1, Mh still emulates the simulator by using the secret-key SK^ , for which we assume 

it exists and M knows, as the witness in Stage-5. Specifically, it commits to S'i^^^''||0* and 
finishes PRZK accordingly as the simulator S does. 

It's easy to see that the output of Mq is identical to the real view of A in real execution, and the 
output of Ml is indistinguishable from the output of Tl. Then, suppose the real view of A in real 
execution is distinguishable from the output oi H, by hybrid arguments we can break the regular WI 
of commit-then-PRZK. □ 

Now, we show that Case-R2 failure indeed occurs with negligible probability, from which the simu- 
latability of the CNM simulation is established. 

Lemma 5.2 Case-R2 failure occurs with negligible probability. 

Proof (of Lemma l5.2p . Suppose Case-R2 failure occurs with non-negligible probability. That is, for 
some polynomial p{n) and infinitely many n's, with probability of there exist k,i,j, 1 < k < s{n) + 1 
and 1 < i,j < s{n), such that in the A;-th simulation repetition A successfully finishes the i-th right 
session with respect to an uncovered public- key PK^^ 5 U {PKl}, furthermore, the fc-th simulation 
repetition is the first one encountering Case-R2 failure and the i-th right session is the first successful 
session w.r.t. an uncovered public-key not in 5U {PK^} during the k-th. simulation repetition, but the 
simulator fails in extracting the corresponding secret-key SK^\ Recall that S makes at most s{n) + 1 
simulation trials (repetitions) and each simulation trial uses fresh randomness in the proof stages; S 
starts knowledge-extraction whenever it encounters a successful session w.r.t. an uncovered public-key 
different from PK^; Whenever Case-R2 failure occurs S aborts the whole simulation, which implies 
that the k-th. simulation repetition is also the last simulation trial. 

Note that, by the A OK property of PRZK (we can combine the A;-th simulation repetition except for 
the Stage-5 of the i-th right session into a stand-alone knowledge prover of the PRZK), in this case the 
simulator still extracts some value that is uniquely determined by the statistically-binding commitment 
Cars at the start of Stage-5 of the i-th right session. According to the AOK property of PRZK, there 

(i) 

are two possibilities for the value committed to Ccrs and extracted by S assuming Case-R2 failure. 

Case-1. The value committed is the preimage of yi-b- Recall that PKji = {yo,yi) is the simulated 
public-key of honest right player, with SKr = Sb for a random bit b such that yb = f{sb)- 

Case-2. The value committed is the preimage of yb- 

Due to the one-wayness of the OWF /, it is easy to see that Case-1 can occur only with negligible 
probability. Specifically, consider the case that yi^-b is given to the simulator, rather than generated by 
the simulator itself. 

Below, we show that Case-2 occurs also with negligible probability, from which Lemma 15.21 is then 
established. 

We consider the following two experiments: E{l'"',Sb), where b € {0, 1}. The experiment E(l"',Sb) 
consists of two phases, denoted by Ei and E2: In the first phase, Ei just runs S(l",Sf,) until S stops. 
Denote by Cb the set of extracted-keys, corresponding to public-keys in F — {PKr}, which are extracted 
and used by ^(l", Sb) in its last simulation trial (recall that the first simulation repetition encountering 
Case-R2 failure is also the last simulation repetition). Specifically, suppose S uses SKji = Sb in the 

(k) 

simulation and stops in the k-th simulation repetition with respect to covered- key set, denoted 5^ , 
then Cb = 5f ^ -{{PKr, SKr)}. Note that Cb does not include (PKr, SKr) now. The set Cb generated 
by El is passed on to £'2- 

Then, in the second phase of the experiment E(l'^,Sb), E2{1"' , Sb,Cb) runs the CMIM adversary A 
and (re)mimics the simulation of S at its last simulation trial w.r.t. the set of covered-keys Cb, but 
with the following exceptions: (1) E2 sends truly random Stage-3 message in each right session; (2) E2 
has oracle access to the prover of commit-then-PRZK P(l"',Sft); Whenever S needs to give a Stage-1 



proof of a right session on PKr = (yg, Vi)-, or needs to give a Stage-5 proof of a left session with respect 
to PKr% OTi input {PKL,PKR,{rf^' E2 just sets the corresponding input, i.e., PKr or 

{PKl, PKji, (r^^*''', fr*\ r^*'')) as weh as the according left or right tag, to its oracle P{sb), and then 
relays messages between the oracle and the CMIM adversary A; (3) In case A successfully finishes 
Stage-1 of a left session or Stage-5 of a right session with respect to an uncovered public-key not in 
Cb U {PKl, PKr} in the run of £2(1'^, Sb, Cf,), E2 just stops. 

Now, suppose Case-2 of Case-R2 failure occurs with non-negligible probability. Then, with non- 
negligible probability, S{V',Sb) aborts due to Case-R2 failure in its last simulation trial with respect 
to the covered public- key set Cb, and the value committed in Ccrs (in the successful i-th right session 
w.r.t. an uncovered public-key PK^/^ ^ CbU {PKl, PKr} during the simulation trial w.r.t. Cb) is the 
preimage of yb- Recall that, the successful z-th right session is also the first successful session w.r.t. an 
uncovered public-key different from PKl during the simulation trial w.r.t. Cb- It is easy to see that, with 
the same probability, the value committed in cirs in the i-th right successful session (which is also the 
first successful session w.r.t. an uncovered public-key not in Cb U {PKl, PKr}) in £"2(1", s;,, Cf,) is the 
preimage of yb- We will use this fact to violate the one- left-many-right simulation/extraction of commit- 
then-PRZK with adaptively setting input and tag for the one left-session, where the simulator/extractor 
of commit-then-PRZK first commits to and then runs the one- left-many-right simulator/extractor of 
PRZK. 

Before proceeding the analysis, we first present some observations on commit-then-PRZK with re- 
stricted input selection and indistinguishable auxiliary information. Consider the following experiments: 
EXPT(1", aux^), where w'' G {0, 1}'' for b G {0, 1}. In EXPT(1", aux''), the commit-then-PRZK 
for MV is run concurrently, and a many-left-many-right CMIM adversary A, possessing auxiliary infor- 
mation aux^, can set the inputs and tags to prover instances of left sessions with the following restriction: 
for any Xi, 1 < i < s{n), set by A for the i-th left session of commit-then-PRZK, the fixed value w'^ 
is always a valid AAT^-witness. In other words, although A has the power of adaptive input selection 
for provers, but there exists fixed witness-pair {w^,w^) for all inputs selected by A- Such adversary is 
called restricted input-selecting CMIM-adversary. Denote by trans^ the transcript of the experiment 
EXPT(1", w\ aux^) (i.e., the view of A in EXPT(1", aux^)), and by W'' = {w\, ■■■ , w^^^.^} the wit- 
nesses encoded (determined) by the statistically-binding commitments (at the beginning) of successful 
right sessions in trans^; For a right session that aborts or the tag of the underlying PRZK is identical 
to that in one of left sessions, w\ is set to be a special symbol _L. We want to show the following 
proposition: 

Proposition 5.1 If the ensern6/es {aux''}„g7v„,og{o,i}n,«,ig{o,i}" o-''^d {aux^}neN,w'^e{<d,iY ,w^&{Q,i}^ ^''"^ 
indistinguishable, then the ensembles {{trans^, Vl^'^)}„giv^«,og{o,i}",u)ie{o,i}" accordance with EXPT(1", 

w^,aux^) ffl?^c? {(irans-*^, l^-'^)}„gjV,«;OG{o,i}",«)ig{o,i}" accordance withEXPT{l^,w^,aux^) are also in- 
distinguishable. 

Proof (of Proposition 15. ip : This is established by investigating a series of experiments. 

First consider two experiments EXPT^ {l"^ , w'' , aux^) , where b G {0,1}. In EXPT5'(1", aua;^), a 
one-left-many-right restricted input-selecting MIM adversary A, possessing auxiliary information aux^ , 
interacts with the prover instance of commit-then-PRZK in one left session and sets the input x of the 
left session such that (x, vJ') G 7^£, and concurrently interacts with many honest verifier instances on the 
right. From the one-many simulation/extraction SZKAOK property of PRZK (with adaptively setting 
input and tag for the one left session) and computational-hiding property of the underlying statistically- 
binding commitments, by hybrid arguments, we can conclude that if aux^ is indistinguishable from aux^, 
then ^'s views and the witnesses encoded (actually extracted) in the two experiments, i.e., [trans^ , W^) 

""Note that left sessions may be with respect to the simulated public-key PKr, i.e., the CMIM adversary may imper- 
sonate the honest right-player of PKr in left sessions. 

® Actually, the A/'P-statements reduced from them for the A/'P-Complete language for which commit-then-PRZK actually 
works. 



and {trans^ ,W^)), are indistinguishable. Specifically, consider that the one left session is simulated by 
first committing to and then running the simulator/extractor of PRZK. 

In more details, due to the statistical ZK property of PRZK, for any bit b € {0, 1} {trans^, W^) in 
EXPT^(l'^,u;^ aux'') is identical to {trans^,W^) in a modified version of EXPT?|'(1", ■u;^ aux^), called 
commit (ti;'')-then-simulatedPRZK, in which the PRZK of the one left session is simulated rather than 
really executed (but the witness is still committed to the statistically-binding commitment of the left 
session). Then, for this experiment, due to the computational hiding property of the statistically-binding 
commitment scheme used in commit-then-PRZK, [trans^, W^) of the commit(i/;'')-then-simulatedPRZK 
experiment is computationally indistinguishable from that of the commit(0)-then-simulatedPRZK ex- 
periment in which "0" (rather than w^) is committed to the statistically-binding commitment of the 
one left session. 

Now we consider the following two experiments: EXPT(1"', tu, aux^), where b € {0,1} and w € 
{w'^,w^}. In EXPT(1", oux''), a many-left-many-right restricted input-selecting MIM adversary A, 
possessing auxiliary information aux^, interacts concurrently with many prover instances on the left 
(such that w is always a witness for inputs selected adaptively by A for left sessions), and interacts 
with many honest verifier instances on the right. Then, the indistinguishability between the ensembles 
{(trans", Ty°)}„g 

7V,-u;"e{o,i}",«iie{o,i}" ^''^cl {{trans^ ,W^)}n<zN,wOe{o,iy\w'^e{o,i}" is direct from the indis- 
tinguishability between {aux'^}^gjv,to''g{o,i}",u)ie{o,i}" ^^'^ W'^^^}neN,w°£{o,i}" ,w^£{o,i}" the adap- 
tive one-left-many-right simulation-extractability of PRZK. Specifically, this is derived by a simple 
reduction to the above one-left-many-right case. Note that according to the definition of indistinguisha- 
bility between ensembles, {w,aux^) and {w,aux^) are indistinguishable. Actually, {w^ ,aux^) and 
{w'^ , , aux^) are indistinguishable. Also, note that all sessions in EXPT(1", ri;, aux**) can be emulated 
internally by a PPT algorithm given {w,aux^). 

We return back to investigate the experiments: EXPT(1", , aux^) with respect to many-left-many- 
right restricted input-selecting MIM adversary A. Firstly, the distribution ensemble of 
{(trans'^, Vl^'^)}„g7V,«;Og{o,i}".«ii6{o.i}" accordance with EXPT ( 1", tf;*^, attx'') and the distribution en- 
semble of {(tJ^ans", VF'^)}„g7v,wOG{o,i}",«;i6{o.i}" accordance with EXPT(1", aux^) are indistin- 
guishable, if {owxo}„gAr_„,og{o,i}n,,«ig{o,i}" and {auxi\n£N,w°&{o,i}",w^€{o,i}" are indistinguishable, where 
EXPT(1", it;*^, anx^) denotes a hybrid experiment in which the CMIM adversary possesses auxiliary in- 
formation aiix^ while concurrently interacting on the left with many prover instances of the fixed 
witness . Then, by a simple hybrid argument to the one- left-many-right case, we get that the 
distribution ensemble {{trans^ ,W^)}n&j^,w°&{o,i}",w^^{o,iY ™ accordance with EXPT(1", tt;", awx^) is 
indistinguishable from the distribution ensemble of {(t?^oras^, VF^)}„g7v,«)Oe{o,i}",iuie{o,i}" ™ accordance 
with EXPT(1"', , aux^). In more detail, if the above ensembles are distinguishable, then the difference 
can be reduced, by hybrid arguments, to the difference of witnesses used in only one left session. Note 
that, all sessions other than the one left session can be emulated internally by a PPT algorithm given 
{w^,w^ , aux^). 

Proposition 15.11 follows . □ 
Now, we return back to the experiments E(l'^,Sb) for finishing the proof of Lemma |5.2[ We first 
prove that {Co}„gAf,soe{o,i}",sig{o,i}" is indistinguishable from {Ci}neN,so€{o,i}",sie{o,iy' according to 
the analysis of Proposition 15.11 where Cb, b G {0, 1}, is the set of extracted-keys (corresponding to 
public-keys in F — {PKfi}) that is used by the simulator 5(1", s^) in its last simulation repetition. 
Equivalently, Cb is generated by -Bi(l", Sb) and is passed on to E2- Note that Sb = SKr is the simulated 
secret-key used by S (equivalently, Ei). Actually, we can show that for any /c, 1 < /c < s{n) + 1, 
if the distribution ensemble of the set of extracted-keys used in the {k — l)-th simulation repetition 
of 5(1", So) using SKr = So, denoted {C^"^} 

„gAr^soe{o,i}",sie{o,i}") is indistinguishable from that of 
{C^~"'^}„gjv,soe{o,i}",sie{o,i}" (the set of extracted-keys used in the {k — l)-th simulation repetition of 
5(1", si)), then the distribution ensembles of {C^}neAf,soe{o,i}",sie{o,i}" and {C\}n(iN,sae{Q,i}-^ ,s^e{Q,i}^ 
are also indistinguishable. 

We consider an imaginary simulator 5(s5,C^^^), who mimics the experiment E2{sb,C^~^) with re- 
spect to the set of extracted-keys C^~^ ■ We remark that the run of 5(1", s;,, C^~^) actually amounts to the 



experiment EXPT(1", it;^, aux*) defined in Proposition 15. H where Sf, amounts to w'^ and C^~^ amounts 
to aux^. Actually, 5(1", Sf,, C^""*^) amounts to a restricted version of EXPT(1", if'', anx^). Specifically, 
S (who incorporates C^~^ and internally runs the CMIM adversary A) amounts to a many-left- one- 
right adversary against commit-then-PRZK, in which it concurrently interacts with its oracle (i.e., the 
prover of commit-then-PRZK P{sb)) in the many left sessions and the only one right session is just the 
one (the successful Stage- 1 of a right session or Stage-5 of a left session in 

S{l'',Sb,Cb~^)) in which A 

successfully finishes the commit-then-proof w.r.t. an uncovered public-key not in C^~^ U {PKl, PKfi}. 
By applying Proposition 15.11 it is easy to see that if the ensembles {CQ^^},„gAr^soe{o,i}",siG{o,i}" ^nd 

{^1 ^}neN,s„e{o,i}" ,sie{o,i}"' are distinguishable, {Co}neAf,soe{o,i}",siG{o,i}" and {Ci}neN,soe{o,i}" ,sie{o,i}'^ 
are also distinguishable. Finally, note that Cq and C° (the set of extracted-keys corresponding to F — 
{PKfi} at the beginning of the simulation) are identical, i.e., both of them are empty set. By inductive 
steps, we get that the distribution ensembles of {C^}nGAf,soG{o,i}",siG{o,i}" and {Cj^}„g7v,soG{o,i}",siG{o,i}" 
are indistinguishable for any k, 1 < k < s{n) + 1. 

But, suppose Case-2 of Case-R2 failure occurs with non-negligible probability. That is, with the 
same probability, the value committed in Ccrs in the successful i-th. right session for some i, 1 < i < s(n), 
which is also the first successful session w.r.t. an uncovered public-key not in Cb U {PKl, PKr}, in 
-£'2(1", Sfe, Cfe) is the preimage of yt. It can be directly checked that the tag used by Stage-5 of the i-th 
right session, (PK[^'\ r^'\ f (*)) where PK^f^^ ^ CbU {PKl,PKr} and rl'^ is a random n-bit string, must 
be different from the tags used by the prover P(l"',Sb) of commit-then-PRZK (i.e., the oracle of £'2)- 
Recall that the tags of Stage-1 of right sessions [run by P{sb)) is of the form (-,2/0)2/1) and the tags of 
Stage-5 of left sessions {run by P{sb)) is of the form {PKl, ■, •). Also, note that E2 actually amounts 
to a many- left- one-right CMIM adversary, that is, all interactions except for the interactions with the 
prover P{sb) of commit-then-PRZK and the Stage-5 of the successful i-th right session can be internally 
emulated by E2- This means that, given oracle access to the prover -P(sb) of commit-then-PRZK and 
the indistinguishable {Cb}neN,so&{o,i}" ,sie{o,i}" > -^2 can successfully commit the preimage of yb in the 
successful i-th right session with different tag, which violates Proposition 15. li This shows that Case-2 
of Case-R2 failure can occur also with negligible probability. Thus, Case-R2 failure can occur with at 
most negligible probability. This finishes the proof of Lemma 15.21 from which the simulatability of the 
CNM simulation depicted in Figure [3] is then established. □ 

• Strategy-restricted and predefinable randomness 

Now, we proceed to show the strategy-restricted and predefinable randomness property of the CNM 
simulator S depicted in Figure El Denote by Rl = {R^^\r'~^\- ■ ■ the coin-tossing outputs of 

the s{n) left sessions in str (i.e., the first output of S), and by stai = {sta^l\ sta^^\ ■ ■ ■ ,sta^^^"^^} the 
state information corresponding to Rl included in sta (i.e., the second output of S). Similarly, denote 
by Rr = {R^^\r^^\ ■ ■ ■ ii^^"^^} the coin-tossing outputs of the s{n) right sessions in str, and by stai = 
{sta^^\ sta^^\ ■ ■ ■ ,sto^^"^^} the state information for Rr. We want to show that, with overwhelming 
probability, the distributions of {Ri^staL) and {RR,staR) are identical to that of ^'^'^^{1'^). Recall 

that, ({ri, r2, •, r5(„)}, {r^i , r^j, • • • ^Tr^^n-^}) < — -^CRsi^"^) denotes the output of the experiment of 
running McRsi^^) independently s{n) times. 

Note that, according to the CNM simulation described in Figure [3l for any i, 1 < i < s{n), the 
output of the i-th left session, i.e., R^l\ in the simulation is always S^*^ and sta^^ is always where 
{S^I\t^^) is the output of an independent run of McRsi^^)- It is directly followed that the distribution 
of {RLjStai) is identical to that of 

The complicated point here is to show that, with overwhelming probability, the distribution of 
{Rr, staR) is also identical to that of ^^^^^^^.(l"). According to the CNM simulation depicted in Figure 
[31 if we can prove that, with overwhelming probability, for any i, 1 < i < s{n), the coin-tossing output of 
the successful i-th right session is either s'^^ or R^^^ = for some k, 1 < k < s{n); furthermore, 

(k) 

any left-session output can be the coin-tossing output for at most one successful right session (which 



implies the coin-tossing outputs of successful right sessions are independent), then the distribution of 
{Rji,staji) is also identical to that of ^^cRsi^"^)- 

For any i, 1 < i < s{n), we consider the successful i-th right session with respect to a public-key 
PkI^\ As we have shown that Case-R2 failure occurs with negligible probability, we get Pk'^^ G 
Ch U {PKji, PKl}, where Cb is the set of extracted-keys (corresponding to public-keys in F — {PKn}) 

used by S{sb) in its last simulation repetition. 

(7) 

We first observe that, if PK^ = PK^ then with overwhelming probability the tag of Stage-5 of 
the successful i-th right session must be identical to that of Stage-5 of a left session simulated by the 
simulator S. Recall that the all Stage-5 tags of right sessions are different strings, as they contain 
random Stage-3 strings sent by the simulator. This means that Stage-5 tags of right sessions are also 
different from Stage- 1 tags of right sessions simulated by S (note that all Stage- 1 tags of right sessions 
consist of the fixed PRr). Now, suppose the Stage-5 tag of the successful i-th right session is also 
different from the Stage-5 tags of all left sessions simulated by S, then it implies that the tag used by 
the CMIM adversary for Stage-5 of the i-th right session is different from all tags used by the simulator 
(equivalently, the prover P{sh) of commit-then-PRZK in the experiment E in the analysis of Lemma 
15. 2p . By the AOK property, it implies that the value committed to CcX (sent by A in Stage-5 of the 
i-th right session) can be extracted. We consider the possibilities of the value committed to CcX- 

• By the one-wayness of yi^b the value committed cannot be the preimage of yi_f,; 

• According to the analysis of Lemma 15.21 the value also cannot be the preimage of yb- 

Thus, the value committed (that can be extracted) will be the secret-key of PKl, which however violates 
the one-wayness of PKl as the simulator never knows and uses the secret-key of PKl in its simulation. 
Thus, we conclude that, if a successful right session is w.r.t. PKl, the tag used by A for commit- 
then-PRZK of Stage-5 must be identical to that of one left-session simulated by S. As the Stage-5 tag 
consists of the coin-tossing output, i.e., the Stage-4 message, this means that the coin-tossing output of 

the i-th right session must be i?^'^'* = S^^^ for some k, 1 < k < s{n). 

(i) 

Now, we consider the case PK'/' / PKl. In this case, S has already learnt the corresponding 

(7) 

secret-key SKf^ . Now, suppose the coin-tossing output of the successful i-th right session is neither 

S^^ nor i?^^^ = s'^^'^ for all /c, 1 < A; < s{n). This implies that the Stage-5 tag used by A in the 
successful i-th right session is different from Stage-5 tags of all left sessions 13 as well as the Stage-1 tags 
of all right sessions simulated by S. Again, by the AOK property, we consider the value committed 
to Civs'- According to the simulation of S, it always sets Stage-3 message rr'^ of right session to be 
PRF^j^{j){f^^'^') © S^j^ , where ff^' is the Stage-2 message of the i-th right session sent by the CMIM 

adversary A. Suppose the coin-tossing output of the successful i-th right session is not S^^ , then the 

(i) (7) 

value committed to Ccrs cannot be SKj^ , which will be the preimage of either yi-b or yb- But, each 
case reaches the contradiction: committing to the preimage of yi-b is impossible due to the one-wayness 
of yi-b', committing to the preimage of yb violates the one-left-many-right non-malleability of PRZK as 
demonstrated in the analysis of Lemma 15.21 So, we conclude that, with overwhelming probability, for 

(i) (k) 

any successful right session the coin-tossing output is either the independent value Sj^ or Sj^ for some 
k, 1 < k < s{n) (i.e., the coin-tossing output of one left session). 

To finally establish the property of strategy-restricted and predefinable randomness, we need to 
further show, for any sP it can occur as Stage-4 message (i.e., the coin-tossing output) for at most one 
successful right session. Suppose there are io,ii, 1 < io 7^ ^1 < s{n), such that both of the ig-th right 

(k) 

session and the ii-th right session are successful with the same Stage-4 message S)r'. Recall that the 

(k) 

Stage-5 tag of each of the two right sessions includes the same 5^ as well as a random Stage-3 message 

(k) 

sent by the simulator; Also note that the Sj^ can appear, as a part of Stage-5 tag as well as coin-tossing 



'^Note that all Stage-5 tags of left sessions are of the form {PKl, •, ■), and the Stage-5 tag of the successful i-th right 
session is of the form (Pi^i'^ •, •) for PK'f ^ ^ PKl- 



output, for at most one left session (all coin-tossing outputs, i.e., Stage-4 messages, of left sessions are 
independent random strings output by Mors)- This implies that, there must exist a bit b such that 
the Stage-5 tag of the if,-th right session is different from all Stage-5 tags of left sessions (run by the 
simulator) and Stage-1 tags of right sessions (run by the simulator). According to above clarifications 
and analysis, with overwhelming probability, the (left-player) public-key PK^p used by A in the i^-th 

successful right session is covered and is not PKi, and the value committed in Ccrs is neither the secret- 

(7) 

key of the covered public-key PKj^ nor the preimage of yi-b', Also, the value committed cannot be the 
preimage of in accordance with the analysis of Lemma 15.21 Contradiction is reached in either case. 

□ 

• Secret-key independence 

Specifically, we need to show that Pr:[TZ{SKji, str, sta) = 1] is negligibly close to Ft[TZ{SK'j^, str, sta) 
= 1] for any polynomial-time computable relation TZ. In more details, for any pair (so,si) in the 
(simulated right-player) key-generation stage, denote by {str^,sta^) the output of ^(l",^;,) when it 
is using SKr = Sb- Then, Fv[TZ{SK, str, sta) = 1] = ^ Pr[7^(so, sir°, sta°) = l\S uses SKr = 
So in generating (sir*^, sta")] -|- ^Pt[TZ{si, str^ , sta^) = 1\S uses SKr = si in generating {str^ , sta^)], 
and Fr[JZ{SK'j^,str,sta) = 1] = ^Pt[TZ{so, str^ , sta^) = 1\S uses SKr = siin generating {str^ , sta^)] + 
^Fi[Tl{si, str^ , sta^) = 1\S uses SKr = sq in generating {str^, sta^)]. Suppose the secret-key inde- 
pendence property does not hold, it implies that there exists a bit a € {0, 1} such that the differ- 
ence between Pr[TZ{sa, str^ , sta^) = l\S uses sq in generating {str^,sta^)] and Pv[R{sa, str^ , sta^) = 
1\S uses si in generating {str^, sta^)] is non-negligible. It implies that (s^, str^, sta^) and (sq,, str^, sta^) 
are distinguishable. But, note that the analysis of Lemma 15.21 and Proposition 15.11 has already estab- 
lished that the distribution ensembles of {5(1", sq) = (str^, sta'^)}„gAr^S(,g{o,i}n,sig{o,i}" and {5(1", si) = 
{str^,sta^)} 

n£N,so£{o,i}" ,sie{o,iy^ are indistinguishable. Specifically, the distribution ensembles of the 
sets of extracted-keys corresponding to the public-keys in F — {PKr}, {Co}neAf,soe{o,i}",sig{o,i}" and 
{Ci}„g7v,soe{o,i}",siG{o,i}" used by 5(1", s;,) for b G {0,1} in the last simulation repetition, are indistin- 
guishable, and then the indistinguishability between the ensembles {(str*^, sta'^)}.„g7v,soe{o,i}",sie{o,i}" 
and {(str^, sia"^)}„g7v,soe{o,i}",sie{o,i}" are from Proposition 15. 1[ 

The proof of Theorem 15.11 is finished. □ 
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